The General Data Protection Regulation (GDPR) recognises data concerning health as a special category of data and provides a definition for health data for data protection purposes. Though the innovative principles introduced by the GDPR (privacy by design or the prohibition of discriminatory profiling) remain relevant and applicable to health data as well, specific safeguards for personal health data and for a definitive interpretation of the rules that allows an effective and comprehensive protection of such data have now been addressed by the GDPR. Processes that foster innovation and better quality healthcare, such as clinical trials or mobile health, need robust data protection safeguards in order to maintain the trust and confidence of individuals in the rules designed to protect their data.



2009 Annual Report - A year of major importance for the fundamental right to data protection

The report shows that 2009 was of major importance for the fundamental right to data protection.

This is due to a number of key developments: the entering into force of the Lisbon Treaty, ensuring a strong legal basis for comprehensive data protection in all areas of EU policy; the start of a public consultation on the future of the EU legal framework for data protection; and the adoption of a new five-year policy programme for the area of freedom, security and justice ("Stockholm Programme") with the emphasis on the importance of data protection in this area.

The EDPS has been highly involved in these fields and is determined to pursue this course in the near future. 

You can obtain a paper version of this Annual Report on EU Bookshop

Full text of the Annual Report:
Available languages: German, English, Spanish, French, Italian, Polish
Available languages: Bulgarian, Czech, Danish, German, Estonian, Greek, English, Spanish, French, Irish, Italian, Latvian, Lithuanian, Hungarian, Maltese, Dutch, Polish, Portuguese, Romanian, Slovak, Slovenian, Finnish, Swedish

EudraVigilance database - EMEA

Opinion of 7 September 2009 on a notification for prior checking regarding the EudraVigilance database (Case 2008-402)

EMEA manages the EudraVigilance database whose originates from National Competent Authorities, Market Authorization Holders and sponsors of clinical trials.  The purpose of the database is to evaluate suspected adverse reactions to medicinal products for human use. The EDPS considers that the processing is lawful to the extent that EMEA follows the recommendations included in the Opinion, particularly those regarding the data quality principle.

The EDPS recommended, among others, that EMEA:

  • Engages in an examination of the possibility to minimize the personal data recorded in ICRs as well as of the possibility to anonymise or pseudoanonymise personal information contained in ICRs;
  • Considers whether a  limited conservation period would fulfill the purposes sought by the data processing;
  • Adopts the security measures described in this Opinion.
Available languages: English, French


Opinion on the proposals for a Regulation and for a Directive on pharmacovigilance, OJ C 229, 23.09.2009, p. 19