Article 45, Data access applications, Articles of the European Health Data Space (EHDS), (Proposal_3.5.2022)
1. Any natural or legal person may submit a data access application for the purposes referred to in Article 34.
2. The data access application shall include:
(a) a detailed explanation of the intended use of the electronic health data, including for which of the purposes referred to in Article 34(1) access is sought;
(b) a description of the requested electronic health data, their format and data sources, where possible, including geographical coverage where data is requested from several Member States;
(c) an indication whether electronic health data should be made available in an anonymised format;
(d) where applicable, an explanation of the reasons for seeking access to electronic health data in a pseudonymised format;
(e) a description of the safeguards planned to prevent any other use of the electronic health data;
(f) a description of the safeguards planned to protect the rights and interests of the data holder and of the natural persons concerned;
(g) an estimation of the period during which the electronic health data is needed for processing;
(h) a description of the tools and computing resources needed for a secure environment.
3. Data users seeking access to electronic health data from more than one Member State shall submit a single application to one of the concerned health data access bodies of their choice which shall be responsible for sharing the request with other health data access bodies and authorised participants in HealthData@EU referred to in Article 52, which have been identified in the data access application. For requests to access electronic health data from more than one Member States, the health data access body shall notify the other relevant health data access bodies of the receipt of an application relevant to them within 15 days from the date of receipt of the data access application.
4. Where the applicant intends to access the personal electronic health data in a pseudonymised format, the following additional information shall be provided together with the data access application:
(a) a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679;
(b) information on the assessment of ethical aspects of the processing, where applicable and in line with national law.
5. For the implementation of the tasks referred to in Article 37(1), points (b) and (c), the public sector bodies and the Union institutions, bodies, offices and agencies shall provide the same information as requested under Article 45(2), except for point (g), where they shall submit information concerning the period for which the data can be accessed, the frequency of that access or the frequency of the data updates.
Where the public sector bodies and the Union institutions, bodies, offices and agencies intend to access the electronic health data in pseudonymised format, a description of how the processing would comply with Article 6(1) of Regulation (EU) 2016/679 or Article 5(1) of Regulation (EU) 2018/1725, as applicable, shall also be provided.
6. The Commission may, by means of implementing acts, set out the templates for the data access application referred to in this Article, the data permit referred to in Article 46 and the data request referred to in Article 47. Those implementing acts shall be adopted in accordance with the procedure referred to in Article 68(2).
7. The Commission is empowered to adopt delegated acts in accordance with Article 67 to amend the list of information in paragraphs 2, 4, 5 and 6 of this Article, to ensure the adequacy of the list for processing a data access application at national or cross-border level.