When can you ignore medical codes of conduct?

Posted on 1 juni 202521 november 2025 by admin

When can you ignore medical codes of conduct?

On LinkedIn, doctors and medical researchers regularly complain about unworkable rules. For example, as a radiologist, you have to ask the patient’s permission to use an MRI scan performed by someone else, and that permission is only valid for 72 hours. My response is: if it’s not in the law, then you can probably ignore it. Then I get a flood of responses. Dentists and pathologists explain to me that these are codes of conduct that the IGJ also uses and that “therefore” cannot be ignored. Here’s an explanation for them as to why and when certain (but not all) codes of conduct can indeed be ignored.

Soft law is not law

Codes of conduct are soft law, and contrary to what the name suggests, they (like ethics) are not law. They are rules based on ethics, mutually agreed-upon behavior, or contractual agreements that people adhere to, but they are not law. Soft law is used, for example, when one cannot enact or enforce laws, as in international law. It is also used when one does not want to enact formal law, because it is more flexible and one wants to wait and see how a new social phenomenon will develop (such as with franchising). Soft law is also chosen when the sector itself has considerable expertise and good intentions. In such cases, the sector is asked to draw up rules. Soft law is excellent for all of this. However, with soft law, you cannot ignore the rule (Article 5:4 of the General Administrative Law Act) that stipulates that the authority to impose a fine exists only insofar as it is granted by or pursuant to law.

There must be an open norm

But within healthcare, soft law is treated as part of the law. Sometimes this is correct, but sometimes it isn’t. Soft law can only become law if it includes an open standard. An example of such an open standard is: “The healthcare provider offers good care.” What constitutes good care? That means something different for a child psychiatrist than for a heart surgeon, and it’s different in 1995 than in 2025. Therefore, there are all sorts of codes of conduct and protocols by which (disciplinary) judges interpret the concept of good care. But, for example, the Coreon Code of Conduct requires that a medical ethics committee be consulted if there is a suspicion that research may raise privacy concerns, which is the case if personal data is used without consent. There is no open standard anywhere in the law that could lead to this, and therefore this rule is not part of the law.

There must be a judge who applies this

The second thing needed to turn soft law into law is a (disciplinary) judge who actually uses those codes of conduct to give substance to the open standard. Consider the Trias Politica: the legislature can write laws, the judiciary dictates how this should be implemented in practice. The executive branch implements, but cannot write rules. For example, the police cannot decide for themselves that children riding fat bikes will now receive fines. And the Dutch Data Protection Authority may have some opinions on how the GDPR should be interpreted, but that’s all it is. The European Court of Justice recently said precisely that about the European Data Protection Board: an “opinion” is simply an opinion. The IGJ, therefore, also only has an opinion and cannot write rules. The IGJ can indeed impose fines based on codes of conduct, but it is then up to the judiciary to verify whether the fine is justified or whether it should be overturned.

And it must comply with administrative law

And in that test, the judge examines whether there is an open standard that could be fulfilled with a code of conduct. Moreover, the judge assesses whether all administrative law principles, such as the principle of legal certainty and the principle of legality, have been met. Or how about the rule: no punishment without guilt? Wasn’t there also an emergency or an exception? A judge assesses all of that, but of course, your doctors and researchers have to submit it to that judge. He can’t take action on his own. So if you believe the IGJ or the AP is going too far, just take a stand and appeal to the administrative court. After all, the court is there to protect you and the rule of law. When assessing whether a code of conduct might be non-binding, pay close attention to whether we’re talking about the Medical Treatment Contracts Act (WGBO) or administrative law. The Dutch Contracts Act (Wgbo) is part of contract law, and its content is as soft as butter: the supplementary effect of reasonableness and fairness always applies there, meaning there’s always an open standard by which soft law can become part of the law. However, in administrative law (anything that can lead to a fine), the principle of legality applies, and therefore there’s much less room for soft law.

And if not, then you may ignore it

In short: certain codes of conduct or protocols are indeed part of the law, but that doesn’t apply to all codes of conduct. When are you, as a physician or medical researcher, required to follow a code of conduct? (i) If the law contains an open standard, such as “good healthcare provider,” which is much more often the case in contract law than in administrative law; (ii) if a (disciplinary) judge has actually used those codes of conduct to give substance to the open standard; and (iii) if all of this is lawful, predictable, and the violation of the rule was also culpable, meaning there was no emergency situation or anything like that. Isn’t all of that the case? Then ignore the code of conduct if it makes you a lesser healthcare provider. Because that’s ultimately what it’s all about: trying to be a good healthcare provider.

When will the EHDS come into effect?

The EHDS requires considerable preparation. A Health Data Access Body needs to be established, various software and hardware components need to be built or connected, and additional legislation needs to be drafted. Therefore, the EHDS will come into effect in several phases. What happens when it comes to the beneficial reuse of health data?

The EHDS leads to greater health (data) safety

The arrival of the EHDS is causing public unrest. Will our health data still be safe? The regulation will indeed make more data available for beneficial reuse. But at the same time, health data will also be much more secure. So, kudos to the EHDS.

The rule of law for medical scientists

As a medical scientist, you might think you have little professional involvement with the rule of law. Nothing could be further from the truth. Understanding the separation of powers, for example, is crucial for knowing when to ignore the Data Protection Authority. It's also helpful to understand that lobbying begins with the question of whether the Ministry of Health, Welfare and Sport is the right place to be.

Trusted Data Holders and the EHDS

Posted on 1 juni 202519 november 2025 by admin

Betrouwbare Gegevenshouders en de EHDS

Aanbeveling aan de HDAB

De EHDS creëert een aantal nieuwe rollen ten aanzien van het hergebruik van gezondheidsgegevens. Bekend is de Health Data Acces Body, een nieuwe overheidsinstantie waar een vergunning kan (of moet?) worden aangevraagd om te mogen werken met data in een beveiligde verwerkingsomgeving. Veel minder aandacht is er voor de rol van ‘betrouwbare gegevenshouders’ (BG’s). De HDAB kan deze BG’s aanwijzen, om zo de administratieve lasten voor zichzelf te verlichten. De betrouwbare houders mogen vanwege hun deskundigheid op het gebied van wetgeving en de veilige verwerking van gezondheidsgegevens, aanvragen volgens een vereenvoudigde procedure indienen, met een aanbeveling over het te nemen besluit. De HDAB moet wel verantwoordelijk blijven voor de daadwerkelijke afgifte van de vergunning en mag niet gebonden zijn aan de aanbeveling van de betrouwbare gegevenshouder.

De Awb vergewisplicht

Ik neem aan dat op het advies van de betrouwbare houders afdeling 3.3 van de Algemene wet bestuursrecht van toepassing is, over advisering. Belangrijk hiervan is artikel 3.9: ‘Indien een besluit berust op een onderzoek naar feiten en gedragingen dat door een adviseur is verricht, dient het bestuursorgaan zich ervan te vergewissen dat dit onderzoek op zorgvuldige wijze heeft plaatsgevonden.’ Dit heet de vergewisplicht. Als een academisch ziekenhuis dus de status van BG heeft, en een besluit schrijft op een aanvraag over data van haarzelf, dan mag de HDAB dit niet ongelezen accorderen. Het is wel toegestaan om marginaal te toetsen, maar het is niet toegestaan om niet te toetsen.

Academische ziekenhuizen als BG's

Bedenk hierbij dat er een verschil is tussen een feitelijke aanvraag bij een datahouder en een juridische aanvraag bij de HDAB. Bij een gewone datahouder kan men dus straks (feitelijk) contact opnemen om te vragen of de door de wetenschapper gewenste data sowieso bestaan, waarna men juridisch bij de HDAB een vergunning aanvraag en de gehele procedure doorloopt. Is de datahouder een betrouwbare gegevenshouder, dan heeft deze dus het recht om de juridische aanvraag door de wetenschappers bij de HDAB te doen vergezellen van een voorstel over het te nemen besluit. Bijvoorbeeld academische ziekenhuizen lijken logische partijen om te worden aangewezen als betrouwbare houders. Echter, wanneer de aanbevelingen volgens de HDAB regelmatig onjuist zijn (onterechte weigeringen of juist onterechte verleningen), dan kan de status van betrouwbare houder worden afgenomen.

De BG houdt toezicht op de gegevensgebruiker

Betrouwbare houders van gezondheidsgegevens, moeten naast expertise ook een eigen BVO hebben of althans erover kunnen beschikken. De vereenvoudigde procedure kan worden doorlopen bij een vergunningsaanvraag of een request (de statistische vraag) die uitsluitend data van betrouwbare houders betreffen. Wordt een dergelijk verzoek niet bij de betrouwbare houder maar bij de HDAB ingediend, dan stuurt deze het verzoek gewoon door. De betrouwbare houder schrijft haar advies binnen twee maanden, waarna de HDAB binnen twee maanden besluit. De betrouwbare houder verricht dan de uitvoerende taken (zoals anonimisering). Het werk wordt vervolgens dus uitgevoerd in de BVO van de betrouwbare houder, die daar toezicht houdt op de vraag of alle wet- en regelgeving wordt nageleefd. De HDAB controleert vervolgens de BG’s.

Met het recht het BSN te gebruiken

Op deze manier kan de BG dus behoorlijk zelfstandig allerlei werk verrichten, vandaar dat de BG expliciet beschreven is als een rol die de taak van de HDAB verlicht en zo leidt tot een efficiënter systeem. Dan moet er natuurlijk geen nationale wetgeving zijn, die daaraan in de weg staat, maar dat is nu wel het geval. Betrouwbare houders moeten wel het recht hebben om het BSN te gebruiken om bestanden op een privacy-veilige manier te koppelen. Daarnaast moeten ze zelfstandig het Nationaal Zeggenschapsregister met behulp van het BSN kunnen raadplegen. Mogen ze dat niet, dan moeten ze alsnog van alles via de HDAB doen, waardoor de rol van betrouwbare houder niet uit de verf kan komen.

De Health Data Access Body

Het Ministerie van VWS gaat binnenkort bepalen wie de HDAB wordt; bij wie straks vergunningen worden aangevraagd voor nuttig hergebruik van gezondheidsgegevens. Wie kunnen dit worden, wie juist niet? En wat moet deze HDAB allemaal doen?

The EHDS and the Secure Processing Environment

Under the EHDS, work must be performed in a Secure Processing Environment (SPE). Scientists don't receive data, but access it in a SPE that meets the strict technical and security standards established under the EHDS. What does this entail? And will everyone be required to work in such a SPE from now on? Will it become a supercomputer containing all our health data?

De EHDS en de Beveiligde VerwerkingsOmgeving

Er moet onder de EHDS worden gewerkt in een Beveiligde VerwerkingsOmgeving (BVO). Wetenschappers krijgen geen data, maar toegang daartoe in een BVO die voldoet aan krachtens de EHDS vastgestelde strenge technische en veiligheidsnormen. Wat houdt dat in? En moet voortaan iedereen in een dergelijke BVO werken? Wordt dat een supercomputer met al onze gezondheidsdata?

The law is not the same as ethics

Posted on 1 juni 202521 november 2025 by admin

The law is not the same as ethics

Is ethics superior? Or is the law?

To properly understand our legal system and what the EHDS will bring us, it’s important to make a clear distinction between law and ethics. Morality is the question of whether we believe something is right, and the basis for that is ethics (although they are also referred to collectively as ethics). It is therefore a reasoned value judgment. Law, on the other hand, is the set of rules that determine what we may or may not do. Some believe that ethics is superior to law, more important, and more valuable. Others believe that ethics is simply an opinion, while law has been established by the majority of society through the democratic process. It is therefore more valuable than ethics. The question of who is right is irrelevant, as long as the difference is properly understood, and how they relate to each other.

Law is rules plus application

These rules of law are established by the legislature and then applied by courts in a specific case: for example, in the question of whether someone must pay damages. Law is therefore the totality of rules as applied by courts in specific cases. The system is structured in such a way that the highest court is always right; what the highest court declares to be law is, by definition, law. This ensures consistency in the application of law, allowing society to adjust its behavior accordingly. If the law is very clear, the court adds little, but rules are often somewhat vague; judges then elaborate on them. Law is therefore a sum of applied rules.

Ethics complements and forms new law

Ethics can be used by judges to flesh out open-ended norms, as is the case with the terms “good care” or “reasonableness and fairness.” Such vague terms are explained using interpretative methods such as dogmatics (what professors think), legislative history (what has been discussed in parliament), a purely linguistic application, or simply ethics. But when there is no open-ended norm, when it is crystal clear what a rule entails in a specific case, then ethics cannot really play a role; for example, with a statutory term of three years. Ethics is therefore used to give substance to open-ended norms. Moreover, ethics is an important guideline in determining what future law should look like. It then serves as an argument for legislative amendments. In this way, in a democratic society, law and ethics are achieved without significant differences, but that is not necessarily the case. Law is sometimes called “solidified ethics” in healthcare. But that’s only the case if ethics influenced the creation or interpretation of law. The rules on how to establish a private limited company are not solidified ethics, and the law of Nazi Germany was law, but not ethical.

A description of the law is not unethical

In discussions about the law surrounding medical research, which often has ethical implications, ethics and law are often confused. This complicates the discussions, which is why it’s important to clearly distinguish between them. One might feel that you should have a property right to data about yourself, for example, but as long as there’s no legal provision or case law (court rulings) that creates such a right, you don’t have one. One might argue on ethical grounds that an opt-in for secondary use of data would be preferable, but once the EHDS comes into effect, this European law will stipulate that an opt-out is sufficient. Lawyers who explain the law are sometimes accused of being unethical. But they don’t make any pronouncements on ethics; they merely explain how certain rules (probably or certainly) should be interpreted.

This is what the European Parliament thought

Ethics is thus used to define open standards. It also serves as a basis for drafting new laws. This also applies to legislators in Brussels. All Europeans have been patients at some point. They voted collectively on who should sit in the European Parliament. It was recently decided there that an opt-out is sufficient. Apparently, the majority considered this ethical.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

What is a DPIA, what not?

Posted on 14 mei 202521 november 2025 by admin

What is a DPIA, what not?

A DPIA is a Data Protection Impact Assessment. It is mandatory under the GDPR in certain cases. What is it and what isn’t it? When is it mandatory? And what is the role of the Data Protection Officer?

What is the DPIA?

The DPIA is the report of a thorough brainstorming session. A plan has been made to do something with personal data, but this could pose risks with regard to privacy. Therefore, the DPIA outlines step by step exactly what processing operations are planned and for what purpose; what the risks are; whether these risks can be adequately covered; whether everything complies with the GDPR; whether any remaining risks that cannot be covered are proportionate to the purpose; and whether, based on all of this, the plans may or may not be implemented. In other words, it is a comprehensive, step-by-step analysis of whether certain plans are actually such a good idea, in light of privacy. Under certain circumstances, data subjects, such as patient associations or employees (via the Works Council), must be involved in this process.

What is the DPIA not?

The DPIA isn’t some sort of ritual. Model DPIAs are often used. There’s nothing wrong with them if they’re used correctly, namely as a tool for a thorough analysis. However, when the model is used as a form that simply has to be filled out, things go wrong. The DPIA isn’t intended to ensure that something is permitted, but to answer the question of whether something is permitted. Moreover, the DPIA isn’t a marketing tool. It’s intended for internal consideration, not to externally demonstrate the enormous importance one attaches to the GDPR. Furthermore, it’s unwise to conduct DPIAs before answering the question of whether one is actually a controller. A processor is someone who processes personal data on behalf of someone else; the controller. The processor may not make themselves a controller. By conducting DPIAs on data for which one is not a controller, one runs the risk of becoming one.

When is it required?

The DPIA must be carried out “when a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing.” DPIAs are required in particular for:

A systematic and extensive assessment of personal aspects based on automated processing, including profiling, on which decisions are based that produce legal effects or significantly affect certain individuals in a similar manner;
2. Large-scale processing of special categories of personal data or criminal record data;
3. Systematic and large-scale monitoring of publicly accessible spaces;
4. Everything that has been placed on the DPIA list by the Data Protection Authority.

Note that processing special personal data does not always require a DPIA. This is only the case if processing is on a large scale. What is typically done by individual healthcare providers is not covered.

When is it not required?

A DPIA is required for processing operations that are “likely to pose a high risk,” but if it is clear that there are no risks, it is not necessary. Moreover, it is not necessary to conduct a DPIA every time for similar processing operations; if an academic hospital regularly conducts medical research with its own health data in its own secure processing environment, a DPIA does not need to be conducted every time. The data set may be different, but the processing operations are similar. A DPIA is also not required if there is a legal obligation or a statutory task, provided that an impact assessment was already conducted when that law was drafted (unless, of course, that law subsequently requires a DPIA).

Role of the Data Protection Officer

Contrary to popular belief, the DPIA is not carried out by the Data Protection Officer (DPO). However, the controller must consult the DPO (if they have one). If there is indeed an obligation to conduct a DPIA, appointing a DPO will usually also be mandatory. The DPO themselves do not know exactly what the controller has in mind regarding high-risk processing. This must therefore be explained to the DPO, outlining the plan and its rationale, the perceived risks, and the security measures envisioned. The DPO then advises whether the planned measures appear sufficient and whether they appear to comply with the GDPR. However, the DPO does not perform the analysis themselves, nor does it decide whether a plan can proceed. And the DPO certainly does not have the role of simply handing out green checks.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

GDPR, purpose limitation, science and corona

Posted on 14 mei 202521 november 2025 by admin

GDPR, Purpose Limitation, Science and Corona

Medical scientists trying to gather data for (undeniably useful) research are sometimes faced with rejection due to “purpose limitation.” For example, someone had collected data for research into unexplained excess mortality after COVID-19. When she subsequently wanted to use that same data for research on Long-Covid, it was denied. Purpose limitation! But is that correct?

The principle of purpose limitation can be found in the GDPR. It states that (1) personal data may only be collected for specified and legitimate purposes, and (2) it may not subsequently be used in a way “incompatible with those purposes.” The latter is the principle of purpose limitation, and it logically follows from the first. Prescribing that you may only collect data for specific, legitimate purposes is pointless if you can then do something completely different with it. Whether there are valid “purposes” must be assessed against the GDPR article that sets out the “grounds.” This is often taken for granted, while it simply boils down to the question: do you have a legitimate and good purpose for doing what you’re doing?

The GDPR article on lawful purposes or conditions, also explains when you’re allowed to do something slightly different with that data; if there’s a compatible purpose. For example, Netflix primarily collected customers’ personal data to provide paid streaming services. However, the company is also allowed to use that data to take action against subscription abuse. These are sufficiently connected, and customers can reasonably expect such a thing to happen. That’s therefore “compatible” use of personal data. If that’s not the case, if it’s not sufficiently connected, then there are three possibilities: a law prescribes that it’s allowed anyway, you have permission, or you simply have to collect new data.

The latter is, of course, a problem for scientists. Because if data has been collected to provide care to someone with complaints, that’s quite different from using that data to investigate whether AI can help identify someone’s condition sooner. The connection becomes even more remote if you’ve collected data to track down cybercriminals, and then criminologists want to study that data to investigate why someone becomes a cybercriminal in the first place. Can such a thing be prevented? Then the use is truly no longer related to the previous purpose, nor is it use that the data subjects could reasonably expect. Asking those cybercriminals for consent is a rather hopeless mission, but so is generating new data. Therefore, a law is needed that stipulates that such a thing is permitted.

The good thing is that they’ve already addressed this in the GDPR itself. The article on purpose limitation immediately states: further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is not considered incompatible with the original purposes. In simpler terms: the principle of purpose limitation simply doesn’t apply to science and statistics.

Of course, this doesn’t mean that everything is suddenly permitted under the guise of science, statistics, or archiving. Although there is a general exception to the principle of purpose limitation for scientific purposes, specific research can still be prohibited. After all, you must also meet other requirements of the GDPR, such as taking sufficient technical and organizational measures to secure everything; for example, anonymization or pseudonymization, or working in a highly secure processing environment that you can only access with a crowbar (as criminologists have devised).

If the data you’re working with is special personal data (which is what health data is), you also need an exception to the prohibition on using it. This prohibition is essentially medical confidentiality. It’s not in healthcare law, but in the GDPR. It doesn’t apply to people with a specific profession, but to everyone, with regard to certain types of data. Very useful. One such exception to medical confidentiality is: you may use health data for medical research if you’ve asked for consent, unless that’s unreasonable. When it comes to big data research, that’s unreasonable, and consent isn’t required.

All this means: if you’re conducting big data research on, for example, excess mortality and long-term COVID, if the government funds it because it’s well-designed and genuinely useful, and if the requirements are met because you’re working in a highly secure processing environment, then the principle of purpose limitation doesn’t apply. In that respect, you don’t need consent. You might still need consent to breach (universal) medical confidentiality, but that’s a different matter. And in that case, consent isn’t required if the data involves a large amount of data. Incidentally, the rules regarding consent will change under the EHDS. However, the GDPR will remain in effect, and the rule that there’s a general exception to the principle of purpose limitation for the purposes of science and statistics remains unchanged.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

Why is the EHDS revolutionary?

Posted on 2 april 202521 november 2025 by admin

Why is the EHDS revolutionary?

More data, because it's safer

The EHDS aims to make more data available for secondary use by making it more secure. The GDPR will continue to apply alongside the EHDS. This privacy regulation already stipulates that the use of health data (in short) is permitted if there is a good purpose, if the law is followed, and if sufficient technical and organizational measures have been taken. The EHDS stipulates the same, but in more detail: working with health data is permitted if it serves a useful purpose, as described in the EHDS. This will be assessed by a newly established government body, the Health Data Access Body (HDAB), which will assess compliance with the GDPR in addition to the EHDS. Subsequently, users will not receive data, but a permit to work with that data, which will specify the precise conditions, such as the requirement to work in a secure processing environment (SEPA). In other words, users will not receive data, but access to it. The HDAB will periodically verify whether the SEPAs are indeed (still) sufficiently secure.

A right to data

So far, there seems to be little new; there must be a good purpose, the work must be done lawfully, and the work must be carried out safely. Yet, the effects of the EHDS, by creating an HDAB and a data permit, are truly groundbreaking or revolutionary. Firstly, because the data must be shared much more widely: if the HDAB has determined that a scientist is permitted to work with data (as described in the permit), then the data holder is obligated to actually make it available. We already have various laws requiring data holders to make data available to the government itself, such as the Statistics Netherlands Act (CBS Act) and the RIVM Act (RIVM Act). But now, there is an obligation to make data available to permit holders, i.e., non-governmental organizations.

If an academic hospital now wants to use data from a nursing home, that nursing home can refuse, invoking the GDPR. Whether that appeal and refusal are justified can never be submitted to a court, because sharing data by the nursing home is a favor. Now, this becomes an obligation. The downside of this is that the academic hospital effectively acquires a right to (work with) data. This is not explicitly stated in the EHDS. However, a decision on a permit application is an administrative decision. If the permit is denied, an objection can be filed (with the DHAB itself) and then, if necessary, appeal to the administrative court. If the court determines that the academic hospital meets all the conditions for obtaining the permit, it will be granted the permit. Compare this to a permit for a dormer window; if all the conditions are met, it can no longer simply be denied. By creating a data permit, the EHDS indirectly creates a right to data.

Academic freedom

Moreover, in principle, everyone has the right to work with health data. Anyone can apply for a permit; any natural person or legal entity throughout the European Union. Obtaining such a permit requires pursuing a recognized purpose under the EHDS, but no distinction is made between, for example, citizen scientists and scientists from academic institutions. Of course, applicants will be assessed for their qualifications to achieve the intended objectives and therefore possess appropriate expertise. However, people like Albert Einstein, who work at a patent office, will have more opportunities under the EHDS to demonstrate their capabilities. This isn’t dangerous, because the HDAB will anonymize or pseudonymize the data as much as possible, and will not transfer it but make it available in a secure processing environment from which no data can be extracted, only conclusions.

Transfer of confidentiality decisions in case of secondary use

The next striking fact is that the authority to decide on the secondary use of health data is being taken away from individual healthcare providers and placed with the HDAB, the newly established government agency. The EHDS is therefore seen in the medical sector as a worrying restriction of medical confidentiality. In my opinion, it would be better to view it as a partial relocation of medical confidentiality, which is also not illogical. Remember, medical confidentiality was introduced by doctors themselves, at a time when the rule of law did not yet exist; 2,000 years ago. That was fantastic, of course, but now we do have a well-functioning rule of law and a government agency that oversees the protection of privacy. Previously, there was no choice as to where decisions on secondary data use should be placed, but now there is. And in that case, an independent government agency is a more logical choice than the doctors themselves.

Most doctors are, of course, honest and well-meaning, but unfortunately, there are bad apples in every profession. A bad doctor has a personal interest in medical confidentiality. An independent government agency does not. The EHDS explicitly states that the HDAB must be safeguarded to ensure its independence; there must be no conflicting interests. Individual healthcare providers do, however. Moreover, we cannot expect healthcare providers to all be familiar with the GDPR, while an HDAB is. Ultimately, the importance of the privacy of the individual patient conflicts with the importance of medical progress for society as a whole; the interest of other patients and future generations in being able to research and discover new treatment methods. An independent agency is better positioned to weigh individual versus collective interests, current versus future interests. Therefore, with regard to secondary use of data, medical confidentiality is not so much restricted as displaced by the EHDS. And in our fairly well-functioning constitutional state, that is a logical choice from a legal perspective.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

Which data are covered by the EHDS?

Posted on 1 april 202521 november 2025 by admin

Which data are covered by the EHDS?

This web text is primarily a request for input from medical scientists. The EHDS stands for European Health Data Space, a European Regulation that will apply directly as law in the Netherlands. Chapter 4 of this regulation focuses on making health data more readily and securely available for beneficial reuse, such as scientific research. This means that health data must be made available (securely!) if a new government body (the HDAB) so decides. Article 51 of the EHDS contains a list of data that must (in principle) be made available. However, it also states that Member States may add data to this list. It is therefore important that we carefully examine this list and consider which data are not included, even though they are still important for science and policy evaluations. What data do you, as a scientist, use that are not yet included on the list below? What are we missing? Please share your thoughts via the contact form.

The EHDS includes at least the following data:

electronic health data from EHRs;
data on factors impacting on health, including socioeconomic, environmental and behavioural determinants of health;
aggregated data on healthcare needs, resources allocated to healthcare, the provision of and access to healthcare, healthcare expenditure and financing;
data on pathogens that impact human health;
healthcare-related administrative data, including on dispensations, reimbursement claims and reimbursements;
human genetic, epigenomic and genomic data;
other human molecular data such as proteomic, transcriptomic, metabolomic, lipidomic and other omic data;
personal electronic health data automatically generated through medical devices;
data from wellness applications;
data on professional status, and on the specialisation and institution of health professionals involved in the treatment of a natural person;
data from population-based health data registries such as public health registries;
data from medical registries and mortality registries;
data from clinical trials, clinical studies, clinical investigations and performance studies subject to Regulation (EU) No 536/2014, Regulation (EU) 2024/1938 of the European Parliament and of the Council, Regulation (EU) 2017/745 and Regulation (EU) 2017/746;
other health data from medical devices;
data from registries for medicinal products and medical devices;
data from research cohorts, questionnaires and surveys related to health, after the first publication of the related results;
health data from biobanks and associated databases.

So, as Member States, we can add categories here, but I can’t think of anything missing. Someone suggested that perhaps the data of a fetus, which is not yet (legally) a natural person, falls outside of this. But it seems to me that a fetus doesn’t have its own EHR, but is included in an EHR? Therefore, my question to you: what health data is missing, even though it is indeed important to medical science? I’d like to hear from you via the contact form, and I’ll pass this on to the authors of the EHDS implementing legislation.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

European law

Posted on 1 april 202521 november 2025 by admin

European Law

The EHDS is European law. But what is that exactly? Does it have direct effect? What is the difference between a directive and a regulation? Does European law always override national law? Can the EU even write rules on public health? What does the EHDS implementing legislation entail? And can privacy be protected beyond what Europe prescribes?

In the past, treaties were concluded between states. Initially, these were contracts between those in power, with obligations imposed solely on those powers themselves. Later, treaties also included the rights and obligations of citizens. Then came the European Union. This was something completely different from an international organization or a treaty. A new layer of government was created; Europe became a federation similar to the United States. The EU drafted legislation that had direct effect on national legal systems, regardless of whether a European country wanted it or not. Therefore, there is frequent debate about whether the EU even has the authority to legislate on a particular topic.

The EU initially acquired powers primarily in the economic sphere: the free movement of people, goods, services, and finance. It had no jurisdiction over (among other things) government transparency or public health. Subsequently, the view on data changed; it is now seen as an economic asset, on which the EU can therefore legislate. It was also recognized that free movement could only truly function if there was also an underlying free movement of data. In that context, the EU began working on a European data strategy, with little dispute that the EU has the authority to create the free movement of data, similar to the free movement of goods and services. The competence (the authority to write regulations) regarding public health is now being shifted from the national governments to Brussels—accelerated by the coronavirus pandemic; a European Public Health Strategy is being developed. However, it is still emphasized that the competence in this regard lies primarily with the Member States.

The unique thing about the EU is that (in the areas for which it has been granted powers) it is essentially a federation, a new layer of government. European law has direct effect, whether a country wants it to or not. The European Convention on Human Rights (ECHDS) will soon become a directly applicable law, which can be directly invoked in court. The ECHDS is a regulation. The EU also writes directives. Directives are essentially mandates for national states to write certain laws, with some freedom in how they are implemented. However, in both cases, you cannot simply withdraw from them (although you can always leave the EU, but that would be a rather extreme approach).

Even though a Regulation (unlike a Directive) has direct effect as law, an Implementing Act usually needs to be written alongside it, such as the GDPR Implementing Act. Such laws are necessary to integrate European law into our national system; for example, an EHDS licensing system must be in line with the provisions of the General Administrative Law Act on licensing. Authorities also often need to be designated; in the case of the EHDS, this is the HDAB. In addition, the Implementing Act must regulate matters that are explicitly left open in the Regulation, or in respect of which the Member States are given a task; a task similar to a Directive. For example, Article 13(1) of the EHDS begins with the words: “Member States shall ensure that…”

When drafting such implementing legislation, it is also important to consider whether a rule is intended as minimum or maximum harmonization. Minimum harmonization sets a lower limit; all Member States must provide at least a certain level of legal protection, but more is also acceptable. Maximum harmonization requires the implementation of precisely that rule. Deviations from it are not permitted, which is often overlooked with regard to the GDPR. Therefore, when drafting implementing legislation for European law, consideration should always be given to: (1) how the whole should be integrated into national legislation, (2) which areas allow clear choices to the countries, and (3) which areas concern minimum or maximum harmonization and whether deviations are therefore permitted. Regarding health data, it is important that the GDPR states (in Article 9, paragraph 4) that Member States may draft additional rules. However, the European Data Protection and Security Council (EHDS) explicitly states (recital 52) that this paragraph 4 will no longer apply to EHDS-data.

Finally, there are rules regarding the hierarchy of rules if the court finds they are truly in conflict; these are the so-called conflict rules. There are three: (i) higher law always takes precedence over lower law, (ii) a specific rule takes precedence over general rules, and (iii) new rules on the same subject take precedence over older rules. These three are applied in this order. This means, among other things, that the WGBO (Dutch law) can never override European law, because that is higher law. National law, such as the WGBO, can only override European rules if those European rules explicitly state that this is permitted. We must therefore carefully study the text of the EHDS to assess whether our Dutch law conflicts with it, and if so, whether it is permitted. If it is not permitted, the Dutch rule automatically no longer applies.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

Why the EHDS?

Posted on 31 maart 202521 november 2025 by admin

Why the EHDS Regulation?

EHDS stands for European Health Data Space. It is a European law that will apply directly in the Netherlands, just like the GDPR. The European Union introduced the free movement of people, goods, capital, and services decades ago. Internal borders within the EU were abolished as much as possible. The goal of this was economic growth, in addition to, among other things, complicating war. Brussels quickly realized that this free movement would not function properly without the free flow of data. Therefore, a European, borderless data space was also needed. The GDPR was the first step in this process; to achieve the free flow of data, data protection had to be standardized in Europe. Countries can protect privacy themselves, but achieving the free flow of data required uniform data protection.

A data legislation matrix

A European data strategy was subsequently developed, best described as a legislative matrix. On the one hand, there are rules governing all data, regardless of content. These can be found in the GDPR, the Re-use of Government Information Act, the Data Regulation, and the Data Governance Regulation. On the other hand, there are (and will be) rules governing certain types of data. Nine Data Spaces have been designated for this purpose, including financial data, transport data, and therefore also healthcare data. Therefore, when reading the EHDS, one must remember that this law can only be properly understood as a cog in a larger system of laws that complement each other: European laws such as the GDPR and other data legislation, but also Dutch legislation such as the General Administrative Law Act.

An economic perspective on healthcare

The EHDS aims to improve healthcare in Europe by realizing the free movement of patients, healthcare providers, and medical scientists. It was expected that the free movement of goods would lead to economic growth and better products, and this proved to be true. Supporting regulations were developed, such as the two-week return policy for online orders throughout the EU. This gives consumers the confidence that they can order directly from anywhere in Europe. A reputable Italian organic farmer can thus serve the wine market in Wassenaar; prices will decrease, and quality will increase. Similar benefits are also expected to be realized in healthcare. The goal is for Dutch radiologists, for example, to be able to assess MRI scans from across the EU. Brussels expects this will make healthcare cheaper and better.

Broader data availability

In addition, the EHDS aims to stimulate innovation by making health data available for beneficial reuse. Universities, businesses, and citizens will soon be able to apply for a permit to work with health data. Whether you receive this permit will be assessed based on whether you are pursuing a useful purpose, such as education, scientific research, statistics, but also developing new products or training AI systems. If necessary, you can submit the decision on your application to a judge, who can assess it against, among other things, the prohibition on discrimination or scientific freedom. For example, it will no longer be permitted for an academic hospital to share data with physicians but not with scientists from the computer science faculty.

Within strict legal frameworks

Carelessness with health data is inconvenient, unethical, and unlawful. According to the GDPR, sharing is only permitted if there are sufficient “technical and organizational safeguards.” The EHDS prescribes what this entails. A permit must be requested (with some exceptions) from the Health Data Access Body, a new government body. The permit specifies the precise conditions, and the EHDS also contains a list of things that may not be done with the data. Violation of these conditions is punishable by fines. In such cases, the data is not given, but access to it in a secure processing environment. This should make more knowledge available securely throughout the Union. After all, in addition to a right to data protection, we also have a right to information.

When will the EHDS come into effect?

The EHDS leads to greater health (data) safety

The rule of law for medical scientists

Pseudonymization and the GDPR

Posted on 30 maart 202521 november 2025 by admin

Pseudonymization and the GDPR

Pseudonymisation is a term from the GDPR that causes a lot of confusion. Is this personal data, and therefore does the GDPR apply to it, or not? As is so often the case, the answer from lawyers is: it depends. That’s because pseudonymous data is not a category or type of data. Pseudonymisation is only listed in the GDPR as a technique: Article 4(5) states: “Pseudonymisation” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

Simply put, pseudonymization means replacing “Antoinette Vlieger” with, for example, the number “1973.” The difference with anonymization is that there’s still a key or list that allows you to determine that number 1973 is Vlieger. In medical science, you almost always want to pseudonymize rather than anonymize. This allows findings to be relayed back to the treating physician if necessary, or additional information can be requested if it later proves necessary for the research.

But keep in mind that there’s always a difference between everyday language and legalese (like lawyers explaining at parties: this wasn’t murder but manslaughter, while for everyone around them it was murder). In everyday language, pseudonymization is therefore the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information. However, the GDPR adds another component: “provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” It must also be recorded who has (exclusive) access to the key.

Does the GDPR apply to pseudonymous data?

So does the GDPR apply to such data or not? That depends on whether it is “personal data,” and the term “personal data” is a relative term. The GDPR applies when someone’s privacy is at stake, because the data can be traced back to a specific person. If an academic hospital is conducting research on patient number 1973, and they themselves have the list indicating that this concerns Vlieger, then that data is personal data for that hospital. If they provide this data (to train an AI tool) to mathematicians who do not have the list, then it is not personal data for those mathematicians; the GDPR does not apply. If the same set of data is given to Statistics Netherlands (CBS)—which also does not have the list, but can combine the data with its own data, making it clear who the data concerns—then the data is personal data for CBS. And even more complicated: if the mathematicians, for whom the data is not personal data, post the data on a public website, allowing Statistics Netherlands (CBS) to access it (for whom the data is personal data), then when it is made public it is again personal data and therefore the GDPR does apply; this also applies to the mathematicians.

The GDPR therefore applies to personal data; held by specific individuals and in a specific context. Pseudonymous data is sometimes personal data, and sometimes not. And you should be equally careful with the concept of anonymous data. Absolutely anonymous data is anonymous to everyone. This is not personal data, and the GDPR does not apply to it. But there is also relatively anonymous data; anonymous to me, but not to Statistics Netherlands (CBS). To avoid confusion, it is better to refer to only absolutely anonymous data as anonymous. The GDPR does not apply to this anyway. However, with regard to relatively anonymous data and pseudonymous data, the applicability of the GDPR must be assessed each time.

Is this confirmed in case law?

Many people are eager to know if the European courts have confirmed the above. However, there’s no case law on the concept of pseudonymization itself. While there is case law that does address pseudonymized data, it consistently applies the case law on the concept of “personal data.”

The judgment in SRB/EDPS (CJEU, 26 April 2023, T-557/20, ECLI:EU:T:2023:219) clearly illustrates how the European Court of Justice addresses this issue. The EDPS states that the data the SRB shared with Deloitte were pseudonymized and therefore personal data (paragraph 32). The SRB argues that, for the recipient, Deloitte, the data are not pseudonymous but anonymous, since the SRB did not share with Deloitte the information that could be used to re-identify the data (paragraph 76). It is striking that the judges in the judgment do not address whether the data were pseudonymous or anonymous, but only whether they were personal data. And that is the end of the matter. The case is now on appeal and the Advocate General makes a clear statement on this (6 February 2025, C-413/23P, ECLI:EU:C:2025:59) in recital 52: It is not the case that pseudonymised data are automatically not personal data, because “under certain conditions” they are personal data; but not always.

EDPB Directive 01/2025 on pseudonymisation, of 16 January 2025, similarly states (recital 22): If pseudonymised data and additional information may be combined taking into account the means reasonably used by the controller or by another person, the pseudonymised data constitute personal data.

Is pseudonymization always mandatory?

So, sometimes the GDPR applies to pseudonymous data, sometimes not. But if you haven’t yet done so, is it mandatory under the GDPR? The legal answer to that, too, is: sometimes yes, sometimes no. The short answer is: if it’s possible, it must be done (and as quickly as possible), but if it’s not possible, you can still use the data, depending on the circumstances; for a compelling purpose and provided it’s very well secured.