GDPR

Subscribe to GDPR via RSS

On 19 March 2026, the Court of Justice of the European Union (CJEU or Court) issued its judgment in Case C-526/24, Brillen Rottler GmbH & Co. KG v TC. The case concerned a data subject who subscribed to a German optician’s newsletter and, thirteen days later, submitted an access request under Article 15 GDPR. The company refused the request, arguing it was abusive. The data subject maintained it was legitimate and claimed at least €1.000 in non-material damages.

The CJEU’s judgment addresses three questions of broad significance: (1) when a first access request can be refused as “excessive”; (2) whether a violation of the right of access alone can give rise to a compensation claim under Article 82 GDPR; and (3) how non-material damage should be assessed in that context. While the judgment is relevant to all companies subject tot GDPR, we examine below the considerations it raises for life sciences companies specifically.

Continue Reading CJEU rules on GDPR access rights and abuse of rights: what the Brillen Rottler judgment means for life sciences companies

On 16 December 2025, the European Commission published its Proposal for a Regulation establishing a framework of measures for strengthening the EU’s biotechnology and biomanufacturing sectors, particularly in the area of health (the “European Biotech Act” or the “Proposal”). The Proposal is ambitious in scope: it amends several major pieces of EU health legislation, including the Clinical Trials Regulation (“CTR”), the Veterinary Medicines Regulation, the Food Law Regulation and the Substances of Human Origin Regulation (“SoHO”), while also introducing a new framework for EU strategic projects, AI-enabled biotechnology, and biodefence.

On 10 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted Joint Opinion 3/2026 on the Proposal (the “Joint Opinion”). While broadly supportive of the Proposal’s objectives, the EDPB and EDPS identified a number of significant data protection concerns, and issued recommendations. Although not legally binding, the Joint Opinion carries significant weight as it reflects the views of the EU’s primary data protection authorities and will directly shape the legislative debate ahead.

In this blog we examine the key data protection implications of the Proposal and the Joint Opinion for pharma and life sciences companies.

Continue Reading EDPB/EDPS Joint Opinion on the European Biotech Act Proposal: Key Data Protection Implications for Pharma and Life Sciences

On 19 November 2025, the European Commission published two legislative proposals – the Digital Omnibus on AI Regulation Proposal and the broader Digital Omnibus Regulation Proposal (“Proposals”) – as part of a wider initiative to simplify and streamline the EU’s digital regulatory framework. Together, the Proposals introduce targeted but significant amendments across a broad range of instruments, including the EU AI Act (Regulation (EU) 2024/1689), the GDPR (Regulation (EU) 2016/679), the ePrivacy Directive (2002/58/EC), the NIS2 Directive ((EU) 2022/2555), and the EU Data Act (Regulation (EU) 2023/2854).

Continue Reading EU Digital Omnibus: What the Proposed Reforms Mean for Pharma and MedTech

The EU Commission has published its proposal for the “Digital Omnibus” aimed to simplify and streamline the EU rules governing artificial intelligence, data protection, cybersecurity, and data use more broadly. The proposal seeks to amend several cornerstone EU regulations, including Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2023/2854 (Data Act), Directive 2002/58/EC (e-Privacy Directive) and Directive (EU) 2022/2555 (NIS2). The proposal also foresees the repeal of the fairly recent Regulation (EU) 2022/868 (Data Governance Act).

Below is a high-level snapshot of the proposal, ahead of a more detailed advisory we will publish.

The proposal will now moves through what is expected to be a challenging legislative procedure and policy and political discussions with the European Parliament and the Council.

Below we set out a quick overview of the most relevant elements for companies, including medical device manufacturers and other Life Sciences companies – e.g., changes to the AI Act, updates to the GDPR, reform of the EU cookie and tracking rules, data-sharing rules, and the new single-entry point for cybersecurity and data protection incidents reporting.

Continue Reading Digital Omnibus: The European Commission published its proposal to amend the GDPR, AI Act, Data Act and other related frameworks

On 4 September 2025, the Court of Justice of the European Union (“CJEU”) delivered a notable judgment on what is considered pseudonymised personal data under EU data protection law. While, technically speaking, the judgment concerns the interpretation of Regulation (EU) 2018/1725 (which governs the processing of personal data by the EU institutions and bodies), it fully applies to the interpretation of the concepts of personal data and pseudonymised data under Regulation (EU) 2016/679 (“GDPR”).

This question is essential for many companies operating in the EU, and in particular Life Sciences companies handling key-coded or otherwise pseudonymised patients’ personal data in the context of research and development, supply of healthcare products and related safety monitoring.

Continue Reading CJEU clarifies the concept of pseudonymised data

On 21 May 2025, the European Commission published its Proposal for a Regulation (“Proposal”), amending several existing regulations, including the General Data Protection Regulation (EU) 2016/67 (“GDPR”), to simplify obligations for small and medium-sized enterprises (“SMEs”) and extend certain mitigating measures to small mid-cap enterprises (“SMCs”).

Continue Reading Proposed GDPR Simplifications for SMEs and SMCs

The European Data Protection Body (EDPB) has published a study on how personal health data is and/or can be reused for scientific research in the EU under the EU General Data Protection Regulation (GDPR). The study highlights the related practical challenges due to divergent interpretations of the GDPR and national rules across EU Member States.

The key conclusions of the study are set out below:

Continue Reading European Data Protection Board publishes study on secondary use of personal health data for scientific research

Clinical research studies within the NHS in England and Wales require Health Research Authority (HRA) approval, which brings together the HRA’s assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC). The HRA has recently changed the requirements for the UK GDPR transparency wording in new health and social care research applications submitted via the Integrated Research Application System (IRAS). The HRA service had previously provided a review service for sponsors’ GDPR transparency statements. In October last year, the HRA communicated its new updated GDPR template to all sponsors. The new HRA template was developed to ensure that research participants have all the information that they need to make an informed decision about the ways in which their personal data can be used during a clinical trial.

Continue Reading UK Health Research Authority GDPR wording template to be used from 1 April

In the last month, both the European Data Protection Board (“EDPB”) and the Court of Justice of the European Union (“CJEU”) provided their interpretation of key data protection concepts that are crucial for ensuring compliance with Regulation (EU) 2016/679 (“GDPR”).

In Opinion 22/2024, the EDPB provided guidance to data controllers on how to effectively oversee the activities of their (sub-)processors in a GDPR-compliant manner. The opinion was requested by the Danish data protection authority and likely related to the enforcement actions against Danish hospitals which allegedly failed to oversee processors (see our blog – https://www.biosliceblog.com/2024/02/proposed-fine-against-danish-hospital-for-failure-to-supervise-data-processors/).

In early October, the CJEU provided an answer to a key question raised by the courts in the Netherlands – can the legitimate interests legal basis be used for processing of personal data for commercial purposes (e.g., sharing with third parties for advertising and promotion) (Case C‑621/22).

Continue Reading Notable developments in the interpretation of key GDPR concepts – why should Life Sciences companies care?

This digest covers key virtual and digital health regulatory and public policy developments during February 2024.

Of note, the UK continues to pursue a “pro innovation” flexible approach to the regulation of AI. As outlined in the UK government’s response to the public consultation, the government will develop a set of core principles for regulating AI, while leaving regulatory authorities, like the Medicines and Healthcare products Regulatory Agency (MHRA), discretion over how the principles apply in their respective sectors. A central governmental function will coordinate regulation across sectors and encourage collaboration. The government’s aim with this approach is to enable the UK to remain flexible to address the changing AI landscape, while being robust enough to address key concerns. This is in sharp contrast to the position in the EU, where the EU AI Act is reaching the conclusion of the legislative process.

Continue Reading Virtual and Digital Health Digest, March 2024