Adopted 23
86. Second, in the light of the observations made above and despite the wording contained in Recital 37
of the Proposal, the EDPB and the EDPS consider that the Proposal requires further improvements to
ensure compliance with Article 9 GDPR.
87. Indeed, the purposes for which electronic health data may be processed for secondary use under
Article 34(1) of the Proposal contain several types of secondary use, which would fall under different
categories of grounds for exception foreseen in Article 9(2) GDPR. However, the EDPB and the EDPS
consider that this is not reflected in the criteria according to which the health data access bodies
should assess and decide on data applications (Article 45 of the Proposal) in order to issue a data
access permit (Article 46 of the Proposal). The EDPB and the EDPS, to this end, highlight that the
criteria provided for in this regard by Article 46 of the Proposal are restricted to the provisions and
principles of this Proposal and lack clarity as to the way in which such provisions relate to the principles
and provisions of the GDPR, and in particular to Article 9(2) GDPR.
88. In addition to what mentioned above, the EDPB and the EDPS seek for specific clarification on how
and in which cases Article 9(2)(j) GDPR would be applicable in cases of processing health data for
‘purposes in the public interest, scientific or historical research purposes or statistical purposes’ (based
on Union law or MS law) and ‘appropriate safeguards’ as required under Article 89(1) GDPR.
89. Third, the EDPB and the EDPS consider how this exception, construed by means of Union law, to Article
9(2) GDPR, may be reconciled with Article 9(4) GDPR and the possibility for Member State law to
introduce further conditions, including limitations with regard to the processing of genetic data,
biometric data or data concerning health. In this regard, the EDPB and the EDPS consider that the
Proposal could clarify how the exception to Article 9(1) GDPR, stemming from the Proposal but as yet
not being explicitly specified in any of the provisions of the Proposal, intend to reconcile with all
different national Member States’ laws.
90. As a result, the EDPB and the EDPS call for the Proposal to ensure full compatibility with Article 9(2)
GDPR and in particular with regards to its application to the purposes listed in Article 34(1)(f) and
(g) of the Proposal. Moreover, the EDPB and the EDPS also recommend to amend Article 46 of the
Proposal accordingly, in order to properly integrate and reflect the differences in the goals and
requirements for the secondary use of electronic health data.
91. With regard to the minimum categories of electronic health data for secondary use, the EDPB and
the EDPS note that, under Article 33(1) of the Proposal, a legal obligation is construed, according to
which data holders, by means of Union Law, shall make available specific categories of electronic
health data for secondary use. The EDPB and the EDPS note that Article 41(1) of the Proposal indicates
that this (new) legal obligation complements any other legal obligation (already) foreseen in other
Union law or national legislation implementing Union law. As indicated in Recital 37 of the Proposal,
the EDPB and the EDPS note that Article 33(1) of the Proposal would serve as legal ground under
Article 6(1)(c) GDPR and would also provide for an exception to the prohibition in Article 9(1) GDPR
for the data holder to process (thus make available and provide) personal electronic health data. In
this regard, while the EDPB and the EDPS acknowledge that such legal obligation for data holders – in
principle - fits into the system of the GDPR, may result in legal uncertainty.
92. In this regard, Article 33(5) of the Proposal provides that “[w]here the consent of the natural person is
required by national law, health data access bodies shall rely on the obligations laid down in this
Chapter to provide access to electronic health data”. The EDPB and the EDPS firstly consider that the
type of ‘consent-requirements’ in national law the provision refers to are unclear. In particular, the
EDPB and the EDPS underline the lack of clarity as to what step in the procedure foreseen in the