Healthcare organisations operating across Europe face a legal obligation on patient data portability, not merely a technical aspiration. What is less widely understood is that the obligation does not apply uniformly. A private clinic in Amsterdam, a public hospital in Madrid, and a mixed-model provider in Berlin may all handle the same type of patient record, yet face meaningfully different legal requirements when a patient asks to take their data elsewhere. The reason lies in a structural feature of EU law: data protection rules are set at the supranational level, but healthcare delivery remains a national competency, and the lawful basis on which a provider processes patient data determines which portability rights actually apply. For healthcare decision makers responsible for compliance, IT infrastructure, or clinical operations, understanding this distinction is essential groundwork before European Health Data Space implementation timelines begin to bite. Understanding data security & privacy obligations is a prerequisite for this analysis.

The legal framework: what EU law actually requires

Three distinct regulatory layers govern patient data portability in Europe, and they interact differently depending on provider type.

The first is the General Data Protection Regulation (GDPR), which sets the baseline right to data portability under Article 20 but contains a critical limitation that significantly narrows its application in public healthcare. The second is the European Health Data Space (EHDS) Regulation, Regulation (EU) 2025/327, which entered into force on 26 March 2025 and represents the most significant structural change to health data governance in EU history. The third layer is national implementing legislation, which governs how public health systems manage record access and transfer, often through sector-specific health law rather than data protection law.

These layers do not operate independently. GDPR remains the primary data protection framework. EHDS introduces sector-specific obligations that sit alongside it. As Taylor Wessing's analysis of the EHDS-GDPR relationship notes, EHDS does not replace GDPR but builds a sectoral framework on top of it, with phased implementation running from March 2027 for general provisions and March 2029 for primary and secondary use rules. Decision makers need to understand all three layers to assess their obligations accurately. Relying on GDPR alone produces an incomplete picture.

GDPR Article 20: where the public/private distinction first appears

GDPR Article 20 grants individuals the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. This right is not universal. It applies only where processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or on a contract (Article 6(1)(b)). Where processing is grounded in a legal obligation or the performance of a public task, Articles 6(1)(c) and 6(1)(e) respectively, Article 20 does not apply.

This is the point at which the public/private distinction first becomes operationally significant. Most public healthcare providers process patient data under a statutory mandate. A national health service treating a patient does so not on the basis of a contract with that patient, nor typically on the basis of consent. It fulfils a legally defined public function. This means the GDPR portability right does not directly apply to the majority of public health system data processing in the EU.

The practical consequence is that patients seeking to port their records from a public hospital to a private specialist, or from one national health system to another, cannot rely on GDPR Article 20 to compel that transfer. They must instead rely on national health law provisions, which vary considerably across Member States.

How public healthcare providers are treated under EU and national law

Public healthcare providers across the EU implement patient record access and transfer rights through sector-specific legislation, not GDPR portability provisions. The obligations exist, but they are rooted in health law frameworks that differ substantially by jurisdiction.

Across key European markets, the picture is fragmented:

• Nordic models (Denmark, Finland, Sweden) have relatively mature national medical record system infrastructure and patient portal systems, with statutory rights to access records embedded in health legislation. Finland's Kanta system, for example, provides patients with a centralised digital access point for records held across public providers.

• Germany introduced a statutory right for patients to receive copies of their records under the Patient Rights Act (Patientenrechtegesetz), with providers required to respond without undue delay. The country has also been developing its Telematikinfrastruktur (TI) as a national interoperability backbone.

• France has implemented the Mon Espace Santé platform as a patient-facing health data space, providing access to records from public providers under the framework of national digital health legislation.

• Southern European public systems (Spain, Italy, Portugal) have statutory access rights but face greater variation at the regional level, with implementation quality tied closely to regional health authority capacity.

The key point for decision makers is that these obligations are real and enforceable, but they are administered through health ministry frameworks, not data protection authorities. This means the supervisory body, the enforcement mechanism, and the applicable timeline may all differ from those that apply to a private provider under GDPR.

How private healthcare providers are treated under GDPR

Private healthcare providers that process patient data on the basis of consent or contract are directly subject to GDPR Article 20. This applies to the majority of private clinics, specialist practices, and independent diagnostic services operating in the EU where no statutory mandate governs the processing relationship.

Under Article 20, patients can request:

• Their personal data in a structured, commonly used, machine-readable format

• Direct transmission of that data to another controller, where technically feasible

• A response within one month of the request, extendable by a further two months where requests are complex or numerous (with notification to the patient within the first month)

What counts as "personal data" for portability purposes in a clinical context is broader than many private providers assume. It includes data actively provided by the patient (registration information, medical history provided at intake) and data generated through the service relationship (appointment records, consultation notes, test results). It does not include data derived or inferred by the provider, a distinction that becomes relevant when considering AI-generated clinical codes or risk scores.

"Machine-readable" under GDPR means a format that a computer can process automatically, such as JSON, XML, or CSV, rather than a scanned PDF or printed document. In practice, many private medical record systems can export data in these formats, but producing a clinically meaningful, structured export that preserves coding, terminology, and record relationships is a separate technical challenge.

The European Health Data Space: closing the gap between sectors

The EHDS Regulation is the most significant development in this area for healthcare decision makers to track. Its central ambition is to establish a consistent framework for health data access and portability that applies across both public and private providers, closing the gap created by GDPR's lawful basis dependency.

The EHDS introduces several mechanisms directly relevant to portability:

• A strengthened primary use portability right under Article 3(8), which goes beyond GDPR Article 20 by removing the lawful-basis restriction and covering data processed under any legal basis under Article 9 GDPR, not just consent or contract. However, this right applies only to data holders from the health and social security sector. This means patients can seek portability of their health data from public providers in this sector that previously fell outside GDPR Article 20's scope.

• The MyHealth@EU infrastructure, which enables cross-border access to patient health data across participating Member States, with national contact points coordinating interoperability.

• Standardised data formats, with HL7 FHIR emerging as the interoperability baseline for medical record systems under EHDS requirements.

• Health Data Access Bodies (HDABs), which will govern secondary use of health data by researchers, industry, and public bodies, subject to a permit system rather than individual consent.

As Skadden's legal briefing on the EHDS confirms, all EU-established healthcare providers, including hospitals, clinics, and private practices, are subject to the same EHDS compliance obligations for data sharing, interoperability, and patient access. Non-compliance carries GDPR-equivalent fines.

The academic literature flags important ambiguities in the EHDS text. A peer-reviewed analysis in Computer Law & Security Review notes a tension between Recital 12, which calls for portability to apply to any private or public data controller, and Article 3(8) itself, which confines obligations to data holders "from the health and social security sector." The precise scope of who qualifies as a health data holder in edge cases (wellness apps, occupational health providers, telemedicine platforms) remains subject to interpretation.

Record transfer timelines: a comparison by provider type and market

Response timelines for portability and record transfer requests vary significantly depending on provider type, applicable law, and jurisdiction.

The EHDS is expected to introduce more harmonised deadlines across Member States, but the specific timelines for patient-facing portability requests under the EHDS primary use framework will be determined through implementing acts and Member State transposition. Decision makers should monitor national EHDS transposition processes closely, as these will set the operational parameters for compliance programmes.

Format requirements: structured data, interoperability, and what systems must support

GDPR requires that portable data be provided in a machine-readable format but does not mandate a specific technical standard. This has produced significant variation in practice, with some providers supplying JSON or XML exports and others offering CSV files that lack structured notes or terminology context.

The EHDS addresses this directly. As confirmed by A&O Shearman's analysis of EHDS medical record system requirements, the regulation requires health data holders to maintain structured, interoperable data in formats compatible with the EHDS technical framework, with HL7 FHIR as the emerging standard for clinical data exchange.

For medical record systems operating across public and private environments, this creates several practical requirements:

• The ability to export structured clinical data in HL7 FHIR-compliant formats, preserving SNOMED CT codes, ICD classifications, and medication terminology

• Patient-facing access portals that allow individuals to view, download, and transmit their records without requiring administrative intermediation

• Audit logging of all data access and export events, to demonstrate compliance with both GDPR accountability obligations and EHDS access controls

• Interoperability with national medical record system infrastructure (such as Germany's TI, France's Mon Espace Santé, or Finland's Kanta) where applicable

Legacy systems in public institutions present a particular challenge. Many national health systems operate on medical record system platforms that were not designed with structured data export in mind, and the cost and complexity of upgrading or replacing these systems is substantial. Research into EHDS-compliant secure infrastructure highlights that meeting Article 50's requirements for secure processing environments and interoperability standards requires significant technical investment, particularly in institutions that have historically operated siloed, non-interoperable systems.

Consent conditions and lawful basis: why they change everything

The lawful basis a provider relies on for processing patient data is the single most consequential variable in determining which portability obligations apply. This is not a technical detail. It is the foundation of the entire compliance analysis.

For public healthcare providers, the relevant bases are typically Article 6(1)(c) (legal obligation) and Article 6(1)(e) (public task), combined with Article 9(2)(h) (health or social care purposes) for special category data. These bases exclude the provider from GDPR Article 20 but do not eliminate all portability-adjacent obligations. National health law still governs record access and transfer.

For private healthcare providers, the position is more complex. Many process data under a combination of bases: consent for optional data uses (marketing, research participation), contract for the core treatment relationship, and in some cases legal obligation for mandatory reporting. The portability right under GDPR Article 20 attaches only to data processed under consent or contract. This means a private provider must be able to identify, at the record level, which data was processed on which basis.

Mixed-model providers, such as private clinics contracted to deliver services within a public health system, or public hospitals with private patient wings, face the most complex analysis. Arnold & Porter's advisory on the EHDS notes that the EHDS definition of "health data holder" applies to any legal person with the right or obligation to process personal health data, regardless of whether they are nominally public or private. Natural persons and microenterprises (fewer than 10 employees and annual turnover or balance sheet total not exceeding €2 million) are excluded from health data holder obligations by default, though Member States may extend obligations to them.

A PubMed-indexed analysis of the EHDS secondary use framework notes that the regulation's design reflects a deliberate policy choice to move away from consent as the primary mechanism for health data governance, replacing it with a permit-based system administered by Health Data Access Bodies for secondary use. For primary use, the strengthened portability right under Article 3(8) sidesteps the lawful basis dependency, but only once the relevant EHDS provisions come into force in March 2029.

Cross-border portability: what happens when patients move between Member States

Cross-border record portability is the area where fragmentation is most acute and where the EHDS is expected to have the greatest practical impact. Currently, a patient moving from France to the Netherlands, or a cross-border worker receiving care in a different Member State, has no reliable mechanism to ensure their health records transfer with them. National medical record systems use different data models, different coding systems, and different access protocols.

The EHDS addresses this through the MyHealth@EU infrastructure, which requires Member States to participate in cross-border health data exchange through national contact points. The infrastructure builds on the existing epSOS/eHealth Digital Service Infrastructure (eHDSI) framework but significantly expands its scope and legal mandate.

Research on EHDS Health Data Access Body implementation identifies several persistent challenges for cross-border secondary use of health data: inconsistent digital health system maturity across Member States, varying data quality standards, and the absence of harmonised governance frameworks for Health Data Access Bodies. These challenges apply with equal or greater force to primary use cross-border portability, where the technical and legal infrastructure for seamless record transfer remains underdeveloped in most Member States.

For providers operating in border regions, such as the German-French border, the Benelux corridor, or the Nordic cross-border labour market, or serving internationally mobile patient populations, the current practical approach involves patient-held records (paper or digital) as a bridge solution until the EHDS infrastructure is operational.

Practical implications for IT infrastructure in mixed public-private environments

For decision makers managing IT across both public and private care settings, the legal analysis above translates into a set of concrete operational requirements.

Supporting multiple lawful bases within a single platform is the most immediate challenge. A medical record system used in a mixed-model environment must be capable of recording and acting on different processing bases for different data categories and patient populations, and of generating portability exports that correctly reflect which data qualifies under GDPR Article 20 versus which data will be covered by EHDS Article 3(8) once in force.

Audit and logging obligations apply across both frameworks. GDPR accountability requirements (Article 5(2)) require controllers to demonstrate compliance, which in practice means logging all data access, export, and transfer events. EHDS adds further logging requirements for health data access body interactions and cross-border exchanges.

Interoperability architecture decisions made now will determine compliance readiness in 2027 to 2029. The EU Data Act (Regulation (EU) 2023/2854), which became applicable on 12 September 2025, adds further data-sharing obligations for connected medical devices and digital health tools, creating an additional compliance layer for private providers using IoT-enabled clinical equipment or wearable health monitoring devices. For a broader overview of the regulatory landscape, see our guide to EU healthcare AI regulations.

Patient-facing access portals are increasingly a compliance requirement. Both GDPR (through the right of access under Article 15) and EHDS (through the primary use access right) require that patients can access their data in a timely and accessible manner. Providers that rely on manual request processes, such as paper forms, administrative teams, or postal delivery, face both compliance risk and operational inefficiency as request volumes increase.

Key compliance gaps to assess before EHDS implementation

The most common areas where public and private providers currently fall short of the emerging compliance standard are identifiable from the legal and technical analysis above. For IT and compliance teams building roadmaps ahead of EHDS phased deadlines, the following represent the highest-priority gaps:

• Non-machine-readable record formats: Many providers, particularly in public systems, still generate clinical documentation in formats such as scanned PDFs or proprietary legacy formats that cannot be automatically processed. Meeting EHDS format requirements will require either system replacement or middleware solutions capable of transforming legacy outputs into HL7 FHIR-compliant exports.

• Absence of patient-facing data access portals: Providers that have not yet deployed self-service patient portals will need to build or procure this capability. The EHDS primary use framework assumes digital access as the default.

• Unclear consent documentation in private settings: Private providers that rely on consent as a lawful basis for some processing must be able to demonstrate that consent was freely given, specific, informed, and unambiguous, and must be able to link consent records to specific data categories for portability purposes.

• Legacy medical record systems that cannot export structured data: This is the most significant infrastructure gap in public health systems. IMPaCT-Data research on EHDS-compliant infrastructure demonstrates that meeting EHDS Article 50 security and interoperability requirements demands substantial technical investment, and that many existing public sector medical record system deployments lack the architecture to support it without significant remediation.

• Unclear classification of mixed-model processing: Providers that operate across public and private modalities without a clear mapping of which activities rely on which lawful basis are exposed to both GDPR and EHDS compliance risk. A documented processing activity mapping, updated to reflect EHDS health data holder obligations, is a foundational prerequisite.

A genuine limitation in the current state of the evidence is worth acknowledging. Academic analysis of the EHDS portability provisions identifies unresolved ambiguities in the regulation's text that will only be clarified through implementing acts, Member State transposition, and eventually supervisory authority guidance or case law. Decision makers should treat current compliance assessments as working hypotheses subject to revision as the regulatory framework matures, rather than as fixed conclusions.

The evolution of the health data concept across GDPR, the Data Governance Act, and the EHDS reflects a deliberate policy trajectory toward greater data access and cross-sector portability. The pace of implementation, and the degree of harmonisation achieved in practice, will depend heavily on national transposition choices that are still being made across EU Member States.

Frequently asked questions

▶ Does GDPR give patients the right to port their health data from any provider?

No. The General Data Protection Regulation's right to data portability under Article 20 applies only where processing is based on consent or contract. Most public healthcare providers process patient data under a statutory mandate, which means Article 20 doesn't apply to them. Patients seeking to transfer records from a public hospital must rely on national health law instead, which varies considerably across EU Member States.

▶ What is the European Health Data Space and when does it apply?

The European Health Data Space (EHDS) is an EU regulation (Regulation (EU) 2025/327) that entered into force on 26 March 2025. It introduces a sector-specific framework for health data access and portability that sits alongside the General Data Protection Regulation rather than replacing it. General provisions apply from March 2027, with primary and secondary use rules following in March 2029. It applies to all EU-established healthcare providers, including both public hospitals and private clinics.

▶ How does the EHDS change portability rights compared to GDPR?

The EHDS introduces a strengthened portability right under Article 3(8) that removes the lawful basis restriction found in GDPR Article 20. This means patients will be able to request portability of their health data from public providers that previously fell outside GDPR's scope. However, this right applies only to data holders from the health and social security sector, and it doesn't come into force until March 2029.

▶ What format must providers use when responding to a portability request?

Under GDPR, portable data must be provided in a structured, commonly used, machine-readable format such as JSON, XML, or CSV. A scanned PDF or printed document doesn't meet this requirement. The EHDS goes further by requiring health data holders to maintain structured, interoperable data compatible with the EHDS technical framework, with HL7 FHIR emerging as the standard for clinical data exchange.

▶ How long does a private provider have to respond to a data portability request?

Under GDPR Article 20, a private provider processing data on the basis of consent or contract must respond within one month of receiving the request. Where requests are complex or numerous, this can be extended by a further two months, provided the provider notifies the patient within the first month. Public providers are governed by national health law, and timelines vary by Member State.

▶ What portability obligations apply to mixed-model providers?

Mixed-model providers, such as private clinics contracted to deliver services within a public health system, face the most complex compliance analysis. The EHDS defines a "health data holder" as any legal person with the right or obligation to process personal health data, regardless of whether they're nominally public or private. This means mixed-model providers need a clear mapping of which activities rely on which lawful basis to assess their obligations accurately under both GDPR and the EHDS.

▶ How does cross-border portability work for patients moving between EU Member States?

Currently, there's no reliable mechanism for patients moving between Member States to ensure their health records transfer with them. National medical record systems use different data models, coding systems, and access protocols. The EHDS addresses this through the MyHealth@EU infrastructure, which requires Member States to participate in cross-border health data exchange through national contact points. Until that infrastructure is operational, patient-held records remain the practical bridge solution for internationally mobile patients.

▶ What are the most common compliance gaps providers should address before EHDS deadlines?

The highest-priority gaps identified in the article are: clinical documentation stored in non-machine-readable formats such as scanned PDFs; the absence of patient-facing self-service data access portals; unclear consent documentation in private settings; legacy medical record systems that can't export structured data in HL7 FHIR-compliant formats; and the absence of a documented processing activity mapping that distinguishes public task processing from consent or contract-based processing.

▶ Does the EHDS apply to small private practices and microenterprises?

Natural persons and microenterprises, defined as organisations with fewer than 10 employees and an annual turnover or balance sheet total not exceeding €2 million, are excluded from health data holder obligations under the EHDS by default. However, Member States have the option to extend these obligations to them through national transposition legislation, so providers in this category should monitor their own jurisdiction's implementation closely.

▶ What does the EHDS mean for medical record systems in public institutions?

Public institutions face a significant infrastructure challenge. Many national health systems operate on medical record system platforms that weren't designed with structured data export in mind. Meeting EHDS Article 50 requirements for secure processing environments and interoperability standards demands substantial technical investment. Research cited in the article confirms that many existing public sector deployments lack the architecture to support EHDS compliance without significant remediation work.