Navigating the European Health Data Space Regulation: An (Uneasy) Marriage Between EHDS and GDPR (April 2026, Part 2)

The European Health Data Space Regulation (EHDS Regulation) took effect on March 26, 2025. Most of its secondary use provisions will apply from March 2029, and implementation at EU and Member State level will have to take place between 2027 and 2035. Health data represents over 30% of the world’s data assets, yet less than 3% is utilized for secondary purposes such as research, regulatory, or public health purposes, a persistent “data-to-value” gap. This update examines how the EHDS Regulation seeks to close that gap by introducing a more prescriptive legal framework for access to health data for (certain) secondary use purposes whilst still aligning with requirements under EU privacy law; and what life sciences companies should be doing now to anticipate such secondary use obligations, data access requests, and opportunities.

This blog is Part 2 in a dedicated series of blogs exploring the implementation of the EHDS Regulation, with a particular focus on secondary use obligations. Part 1 is available here.

As the EHDS Regulation begins to take shape alongside the well-established framework of the General Data Protection Regulation (GDPR), industry stakeholders find themselves navigating an increasingly complex regulatory landscape with uncertain risks on the horizon – and often with more questions than answers. While the EHDS Regulation promises to unlock the value of health data and strengthen patient rights, the pace of official guidance and clarification has left many organizations frustrated, slowing momentum at a time when strategic direction is needed.

Yet this uncertainty need not translate into inaction. A growing body of existing GDPR experience, coupled with upcoming EHDS consultations and (very slowly) emerging practices, offers companies a practical foundation to begin preparing for EHDS requirements. By taking a pragmatic, forward-looking approach now, organizations can move toward early adoption – positioning themselves not only for compliance, but for long-term competitive advantage as the European health data ecosystem evolves.

This blog post focuses on the intersection between the EHDS and the GDPR, and it sets out:

• How does the EHDS Regulation balance effective data access for secondary use with GDPR requirements?
• What is the implementation and guidance status?
• What can life sciences companies do to prepare?

1. How does the EHDS Regulation balance effective data access for secondary use with GDPR requirements?

The EHDS Regulation establishes a legal framework allowing certain parties – so-called ‘data users’ – to request access to electronic health data (EHD) controlled by so-called ‘data holders’ – subject to specific conditions. The Commission’s updated Frequently Asked Questions (FAQs) confirm that obligations under the EHDS Regulation “do not apply to health data holders established in non-EU countries unless they have an established presence in the EU.” The example of a non-EU-based sponsor of an EU clinical trial is given: “In such cases, the responsibility for complying with the EHDS obligations would fall on the EU-based establishment acting as controller or joint controller of the data. In the case of multinational companies, the entity controlling the means and purpose of processing the data will be considered the controller in accordance with the GDPR; consequently, it will be bound by the EHDS rules on data holders.” In other words, whilst the non-EU-based sponsor may not be directly subject to the EHDS Regulation, the entity operating the EU trial site may be (i.e., assuming they are a controller – which is not always the case) and therefore, the EHD of the non-EU-based sponsor may in any event fall within scope.

Where the EHD constitutes ‘personal data’ the access and processing of this EHD will also be subject to the requirements of the GDPR. To ensure compliance with the GDPR and the protection of data subjects rights, the EHDS Regulation introduces several procedural and substantive safeguards governing requests from data users to access EHD for secondary use purposes. These include the following:

1. Permitted purposes. Access to EHD can only be requested for specific secondary use purposes as listed in the EHDS Regulation. These include, for example, public health, education, and scientific research purposes. Certain secondary uses are explicitly prohibited, including advertising and marketing, or developing products that could harm individuals or society.
2. Application process. Organizations seeking access to EHD must typically submit a formal application to a Health Data Access Body (HDAB). The application must, amongst other things, specify the categories of EHD requested, the intended purposes, and details of the safeguards to be implemented. Importantly, applicants must also state whether they seek access to anonymized or pseudonymized data. If the latter, they must also provide a detailed description of how they intend to comply with the GDPR when processing the pseudonymized data. However, as highlighted in the European Data Protection Board’s (EDPB) report on stakeholder event on anonymization and pseudonymization (Report), significant uncertainty remains around these concepts. Forthcoming EDPB guidance is expected to clarify their interpretation and help companies apply them in the context of the EHDS Regulation.
3. HDAB review. Before granting access to a data user, the HDAB will assess whether the envisaged processing has a legal basis under Article 6 GDPR. The HDAB will also assess whether the applicant has the appropriate expertise for the intended purpose (e.g., relevant qualifications in the case of scientific research).
4. Data permits and secure access. The HDAB has up to three months to either grant or refuse a data permit in response to a request. If granted, the data permit will set out the conditions for use, including the categories and format of the EHD, purpose limitations, the identity of authorized users, and the duration of access. EHD will then be made available through a secure processing environment that meets strict security requirements under the EHDS Regulation.
5. Opt-out rights. The EHDS Regulation also gives individuals the right to opt-out of the secondary use of their EHD (subject to limited exemptions to be established at a Member State level). As confirmed by the updated Commission FAQs, once an individual has opted out of secondary use under the EHDS Regulation, their personal EHD cannot be processed in response to any new data permits or requests approved after the date on which they exercised their right to opt out. However, this does not affect the processing under permits or for generating replies to data requests approved before that date. The FAQs also confirm that the right will not apply where the data holder “cannot identify a natural person in a dataset – such as when the data is pseudonymised and the holder cannot link it to identifiers used in an opt-out list.”

With data often being a company’s greatest asset, as well as a growth engine for innovation and AI, the EHDS Regulation’s mandatory data access regime may have far-reaching consequences for businesses looking to protect their EHD – and should duly be considered in data strategies. In principle, once the data permit is issued, the data sharing becomes mandatory for the data holder. Failure to share the data may result in administrative fines of up to 4% of annual worldwide turnover.

2. Implementation status

The implementation of the EHDS Regulation is underway. To date, most draft guidelines and technical specifications have been primarily addressed to HDABs, reflecting their central role in operationalising the framework. However, these draft guidelines already provide useful insights for data users and data holders, particularly in areas such as the opt-out right, data minimization, and the structure of access requests and permits. While more targeted guidance for industry stakeholders is expected, companies can already draw on these emerging materials to begin shaping their internal governance and compliance approaches.

Below is an overview of new developments since Part 1 of this Series (September 2025):

1. Issued guidance

• March 26, 2026: The Commission published an updated set of FAQs on the EHDS Regulation. The update expands questions 22, 55, and 56, and introduces new questions covering additional topics such as interoperability with EHR systems, data access processes, dispute mechanisms, and interactions with other EU legislation.
  1. Upcoming public consultations
• May 2026: Expected launch of consultations on collaboration with third countries, data enrichment, and informing citizens. Six documents, including a draft guideline for HDABs on collaboration with other parties and on international and third-country access and transfer of electronic health data. These guidelines and specifications included (amongst others):
• Draft guidelines for HDABs on international and third country access and transfer of electronic health data;
• Draft guidelines for data users navigating the catalogue; and
• Draft guidelines for data users on handling research outcomes.
  1. Concluded public consultation
• November 2025: Conclusion of the second public consultation on 11 TEHDAS2 guidelines and technical specifications for fees, penalties, data access, data protection, secure IT systems, and citizens’ rights. These guidelines and specifications included (amongst others):
• A guideline for HDABs on penalties for non-compliance;
• A guideline for HDABs on minimum categories and limitations on the reuse of health data;
• A guideline for data holders on making personal and non-personal electronic health data available for reuse;
• A guideline for HDABs on data minimization, pseudonymization, anonymization, and synthetic data; and
• A guideline for HDABs on implementing opt-out from the secondary use of health data.

The public consultation ended with over 750 responses. Responses are being reviewed by TEHDAS2, and final versions of the guidelines are expected to be published in the first half of 2026.

3. GDPR related implementation readiness: What can life sciences companies do?

Although most of the secondary use regime will apply from March 2029, there is currently limited concrete guidance for companies, and many aspects of the framework remain uncertain. As a result, preparation is necessarily preliminary and should be approached with caution. Nevertheless, many life sciences companies will act both as data holders and as data users, and even at this stage, readiness requires initial planning for both roles.

The considerations below complement the general readiness steps outlined in Part 1 of this blog series, with a particular focus on GDPR-facing aspects of the EHDS Regulation’s secondary use regime, including data access requests, permit processes, and downstream processing obligations.

Data Mapping and Inventory: As data holders, companies should begin by mapping datasets that may fall within Article 51 categories and identifying where they are located across corporate structures and service providers. This exercise should combine technical inventory with legal assessment: which datasets may contain commercially sensitive elements, how clinical trial data interacts with existing disclosure regimes, and where internal approval processes are required before responding to an HDAB decision. Companies should also consider how datasets will be shared (e.g., anonymized or pseudonymized), and what GDPR compliance measures will apply. Early establishment of governance structures, including review and escalation pathways for IP-sensitive cases, will reduce operational risk once access requests begin.

R&D Opportunities: As data users, companies should assess how EHDS Regulation access could support their research and evidence strategies. Permit-based access to real-world EHD via secure processing environments (SPEs) may provide opportunities to test hypotheses, generate real-world evidence, or validate AI models within controlled environments. Identifying priority research questions and analytical capabilities in advance will allow organizations to move efficiently once HDAB systems are fully operational.

A New Institutional Reality: Two misconceptions remain common. First, the EHDS Regulation does not create a central European “data lake.” Access will be application-based, user-specific, purpose-limited, and supervised by HDABs, with datasets assembled per permit and accessed through secure processing environments. Second, the EHDS Regulation does not impose broad new data generation or quality enhancement obligations. It focuses on structured access to existing EHD. Implementation readiness is therefore less about reacting to a future compliance deadline and more about developing institutional familiarity with a new access model, including how to benefit from it while protecting the organization. By 2029, HDABs and SPE infrastructures must be operational, and early decisions will shape practice. Companies that align data governance, IP management, and evidence-generation planning now will be better positioned to manage both risk and opportunity.

The EHDS Regulation’s secondary use framework is moving steadily from legislative text to operational infrastructure. Over the coming months, guidance, implementing acts, and national structures will further clarify how access will function in practice. For life sciences companies, this period should be used to strengthen data governance and align evidence strategies with the emerging regime. Sidley’s Global Life Sciences team continues to monitor EHDS Regulation implementation and related EU initiatives. For further background, see Part 1 of this series here and previous Sidley alerts on the EHDS Regulation here and here.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.