Day 1: Wednesday October 15th, 2025

14:00 – 14:15 – OPENING FROM PIERRE YVES LASTIC PRESIDENT OD EHDPC

Charting the Future of Data Protection: EDPB’s Pseudonymisation Guidance and What’s Next

14:15 – 15:00 – Opening Plenary – Session 1 – Key Note Speaker EDPB

Key note speech EDPB guidance

This session will explain the data protection issues that DPOs need to be aware of and potentially to approve when AI systems for use by clinicians or patients are being adopted by a healthcare organisation. These issues include checkpoints at the time of procurement and points to be included in service level agreements.

Data protection concerns include the access provided to the AI algorithm from the EHR system and where that processing will take place, including possibly at he patient’s home or at the developer’s site which might be in another country.

Machine learning and AI improvement requires data feedback loops to the developer of the patient level outcome from the AI outputs, which normally needs to be pseudonymised and not anonymised data. The legal basis for these processing steps and flows will be discussed, including the data use and security safeguards to be required of AI developers. DPOs might also need to be involved in the local monitoring arrangements and handling breach and escalation policies related to AI systems.

Transparency and good practice in explainability to patients and clinicians will also be discussed.

15:00 – 16:15 – PANEL 1 – Pseudonymisation vs. Anonymisation: Navigating EDPB Guidance, Health Data Realities, and Case Law

• In France, CNIL has carried out a public consultation to improve its Reference Methodologies on biomedical research. It has also put in place a team dedicated to the use of Artificial Intelligence, a technology now widely used in healthcare and medical research.
• At the EU level, the European Data Protection Board is working on new anonymisation and pseudonymisation guidelines
• Several national authorities are working on updating their regulatory framework to prepare the implementation of the European Health Data Space

16:15 – 16:45 – COFFEE BREAK AND NETWORKING

16:45 – 18:15 – Plenary 2 – How will EHDS Health Data Access Bodies anonymise and pseudonymise and synthetize data sets?

The EHDS Regulation extends the legal rights under GDPR to authorise Health Data Access Bodies, appointed by each EU country, with powers to perform anonymisation and pseudinymisation of health data sets in order to make them available for research or other secondary uses. This means that they will be legally permitted to anonymise data sets e.g. from a hospital, that have NOT been de-identified at source. Even if this is permitted under extended GDPR, healthcare providers might need assurance of the capability of HDABs to perform this to a suitable high standard and to give immunity to the healthcare data source for any data breaches or compaints that arise.

18:15 – 20:00 – COCKTAIL AND NETWORKING