Recital 77

Given the sensitivity of electronic health data, health data users should not have unrestricted access to such data. All secondary use access to the requested electronic health data should be done through a secure processing environment. In order to ensure there are strong technical and security safeguards in place for the electronic health data, the health data access body or, where relevant, the trusted health data holder should provide access to such data in a secure processing environment, complying with the high technical and security standards set out pursuant to this Regulation. The processing of personal data in such a secure processing environment should comply with Regulation (EU) 2016/679, including, where the secure processing environment is managed by a third party, the requirements of Article 28 of that Regulation and, where applicable, Chapter V thereof. Such secure processing 20/96 ELI: http://data.europa.eu/eli/reg/2025/327/oj environment should reduce the privacy risks related to such processing activities and prevent the electronic health data from being transmitted directly to the health data users. The health data access body or the health data holder providing that service should remain at all times in control of the access to the electronic health data, and the access granted to the health data users should be determined by the conditions of the issued data permit. Only non-personal electronic health data which do not contain any personal electronic health data should be downloaded by the health data users from such secure processing environment. Thus, such a secure processing environment is an essential safeguard to preserve the rights and freedoms of natural persons in relation to the processing of their electronic health data for secondary use. The Commission should assist the Member States in developing common security standards in order to promote the security and interoperability of the various secure processing environments.