Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

Commission publishes 2025 Enlargement Package assessing EU accession progress

The European Commission published its annual Enlargement Package on 4 November 2025, assessing progress by 10 EU candidate countries including Montenegro, Albania, Ukraine, Moldova, Serbia, North Macedonia, Bosnia and Herzegovina, Kosovo, Türkiye and Georgia. Montenegro closed four negotiation chapters and targets completing negotiations by end-2026, while Albania opened four clusters aiming for 2027 completion. Ukraine and Moldova both completed screening processes and met conditions to open three clusters each, targeting negotiations closure by 2028. The Commission announced future Accession Treaties will include stronger safeguards against rule of law backsliding.

Calls to reform medical device legislation to permit non-essential information via a digital label

MedTech Europe and other trade bodies have called on the European Commission and EU legislators to revise the medical device legislation currently under review to permit additional non-essential information about medical devices to be provided by digital label, such as for the importer and authorised representative information. Ultimately, the position paper endorses that all medical device information that is not essential for the device's safe use should be provided in a digital format pending the outcome of the IHI Call 10 Digital label project

EU Pharma industry calls for greater clarification of HTA guidance and PICO exercises

The application of Joint Clinical Assessments (JCA) of medicines under Regulation (EU) 2021/2282 (EU HTA) which is initiated through a PICO framework- Population, Intervention, Comparator(s), and Outcomes - that defines the JCA scope was implemented in January 2025 for oncology medicines and advanced therapeutics. The Coordination Group on HTA (HTACG) published the 'Guidance on the scoping process' in November 2024 followed by six 'PICO simulation exercises' in February 2025. The EFPIA has issued a response to these support materials by presenting a three questions that require further clarification and recommendations for the successful implementation of the JCA process under the HTA Regulation. In particular, it cites the interplay between population and comparator is an area of concern which determines the number of PICOs required and states that 'further refinement is needed' for how PICOs are proposed, consolidated, and communicated. It highlights that the overall scoping process lacks transparency on how assessors and co-assessors formulate initial PICO proposals and suggests that a formal consultation process with health tech developers be introduced during the drafting of proposed PICOs. It questions the logic of consolidated decisions and feels the role of Member State dialogue is unclear in the guidance and PICO exercises. Finally, it cautions that if the JCA contains an overwhelming volume of data or insufficient evidence where the consolidated PICO imposes an evidence standard then this can undermine the purpose of the JCA.

MedTech Europe responds to Waste shipment Regulation consultation

MedTech Europe sets out its response to the EU consultation on Regulation (EU) 2024/1157 harmonising the classification of certain waste types (so-called 'green-listed' waste) to facilitate their shipments across borders. It welcomes the European Commission’s efforts to modernise waste rules and promote recycling but warns that some proposed measures, such as extending the Prior Informed Consent procedure to all intra-EU shipments of e-waste, could create significant administrative burdens, delays and costs. It emphasises the need for clear definitions of waste and end-of-life products, uniform classification systems, and consistent templates and guidelines across the EU. MedTech Europe also urges the maintenance of 'green-list' status for non-hazardous intra-EU e-waste shipments and supports streamlined approval, renewal and documentation procedures, ideally through EU-level or digital systems. MedTech Europe provides a set of general improvement suggestions to future-proof the waste shipment rules that include calling for specific regulation to address products/waste that is not used by consumers and for waste from clinical trials and aligning these rules with medical device legislation. It points out that 'a perfectly safe product for use becomes hazardous under the WSR and the Basel Convention. We recommend aligning all these frameworks to facilitate compliance for intra-EU shipments by, for example, establishing contamination thresholds aligned with the existing legal requirements under the other EU acquis'.