Secondary use of health data
Whether you’re an innovator, a startup, or a researcher, the European Health Data Space is relevant to you!
Getting off to a good start
By March 2029, the European Health Data Regulation (EEDS) will come into effect with regard to the secondary use of health data.
In particular, it provides for a one-stop-shop mechanism for making health data available for specific purposes such as:
- scientific research,
- innovation activities,
- and the testing and evaluation of algorithms.
Does this apply to me?
As an innovator, you may have several roles that entail rights and obligations:
Data controller: if you hold data for which you are the data controller. In this case:
- You must share information about your databases in the National Data Set Registry (RED)
- You must make the data available to any authorized user who requests it for their project
- You may collect fees for making your data available and benefit from safeguards for data protected by intellectual property rights and trade secrets
Data user: if you wish to process data for the purposes listed in the regulation. In this case:
- You can view all available data through the RED
- You can request access to the data through the one-stop shop.
When?
-
2027
Designation of the entity or entities responsible for access to health data
-
2029
Most of the provisions regarding the secondary use of health data have come into effect
-
2031
Entry into force of provisions regarding the secondary use of certain data: environmental factors, "omics" data, data from clinical trials, studies, and research, and registry and cohort data.
Frequently Asked Questions
What is a Data Access Authority (DAA)?
The French ORAD(s) must be notified to the European Commission by March 2027.
The main tasks of an ORAD:
Governance and permits:
- Processing data access requests
Data pre-processing:
- Requesting data from data holders; preparing the data
Data provision:
- Making data available in secure environments
Standards and cooperation:
- Cooperate at the national and European levels on best practices, standards, etc.
HealthData@EU:
- Ensure connection and cooperation with the European HealthData@EU infrastructure
Information and transparency:
- Provide information on the secondary use of data; make results, access permits, pending requests, etc., publicly available.
Exercise of rights:
- Fulfilling obligations toward individuals (rights of access, information, etc.)
Metadata catalog:
- Make a national catalog of datasets available
Fees:
- Collect fees for data access; adjudicate disputes related to fees
Oversight and penalties:
- Monitor data holders’ compliance; impose penalties for non-compliance
What is a health data holder (DD)?
Any entity classified as a DD will be subject to new requirements starting in March 2029. A DD refers to any entity that meets the following criteria:
Condition 1:
Any natural or legal person: public authority, agency, or other organization involved in the health, care, or wellness sectors, including reimbursement services, developers of health products or services, producers of wellness applications, health researchers, etc.
Condition 2:
- For personal data: be responsible for processing
- For non-personal data (=anonymous data): be able to make data available through control over the technical design of a product and related services, including by recording or providing such data, restricting access to such data, or exchanging such data
The main responsibilities of a Data Steward:
Making data available:
- Make data available to ORAD upon request in accordance with a processing authorization and a data request
- Making non-personal data available via open and reliable databases
Fees:
- Estimate and collect fees for making their health data available, as well as fees covering the costs of data collection and preparation
Metadata and discovery:
- Provide a description of their datasets to ORAD and update the data in the catalog at least once a year within three months
- Provide documents to ORAD for the quality and utility label
What is a Trusted Data Holder (TDH)?
France must establish a designation procedure to allow a DD to become a DDC. The DDC must meet at least three conditions:
- Provide DDs with access via a compliant, secure processing environment
- Possess the necessary expertise to evaluate requests for access to health data and requests for health data
- Provide the necessary guarantees regarding compliance with the regulation.
The main responsibilities of a DDC:
Governance & Licensing:
- Review and make recommendations on access requests
Data provision:
- Make data available in a secure processing environment (personal data)
- Providing query results (anonymous data)
HealthData@EU:
- Facilitate cross-border access
Fees:
- Collect fees
Documentation
Experts
Secondary Use of Health Data: A Revolution for Innovation and Research in France
The secondary use of health data is now a major challenge for medical innovation and scientific research. With the upcoming entry into force of the European regulation on the European Health Data Space (EEDS) by March 2029, France is positioning itself as a key player in this digital transformation.
The European Regulatory Framework: EEDS and National Strategy
The European Health Data Space (EEDS) Regulation thus constitutes the legal foundation for this evolution. In France, this regulation is accompanied by an interministerial strategy launched in 2025, structured around four priority areas:
- Promoting transparency and public trust
- Building reusable data repositories
- Creating the necessary conditions for the sharing and reuse of health data
- Facilitating and simplifying the use of health data
The latter aims to optimize the reuse of health data while preparing for the implementation of the EEDS Regulation. This coordinated approach involves numerous stakeholders: the DNS, the CNIL, the Health Data Hub, and the CNAM.
Obligations of health data holders under the European framework for data reuse
Health data holders must share information about their databases in the National Directory of Datasets (RED). This sharing is required under the European regulation on data reuse. They must allow the secondary use of health data to any user who requests it for research, healthcare, or digital development projects. These holders will become key players in the national and European strategy for leveraging health data, in line with the recommendations of the CNIL and the objectives of the European Health Data Space.
Access, processing, and reuse of health data: a digital strategy for research, innovation, and personalized care
The secondary use of health data represents a major opportunity for innovation stakeholders, researchers, and healthcare professionals. Users wishing to process personal health data can consult the data available via the RED and submit a request for access through the one-stop shop.
This data, essential for processing and analysis, can be reused in research projects, digital health innovation initiatives, or to improve patient care. The European Health Data Space facilitates cross-border collaboration, particularly in research on rare diseases, and strengthens France’s overall strategy—as well as the European strategy—regarding the quality of reports and analyses.
The use of vast volumes of health data enables the development of artificial intelligence algorithms, promoting more accurate diagnoses and personalized patient treatments. This availability of data thus opens up new opportunities for innovation, while ensuring a secure and ethical framework.
Health Data Utilization: Balancing Innovation, European Regulations, and Patient Rights
The use of health data for secondary purposes relies on a crucial balance between digital innovation and the protection of patients’ rights. The European regulation establishes a royalty system for data holders, thereby recognizing the value of making data available within a secure framework. This data can be reused to support research projects, health innovation initiatives, or evaluative studies, contributing to improved care and the development of national and European strategies for digital health.