Day 1: Wednesday October 15th, 2025
14:00 – 14:15 – Congress Opening by Pierre-Yves Lastic – General Secretary of EFDPO and EHDPC Chairman
14:15 – 16:15 – Opening Plenary Session : Anonymization and pseudonymization in practice
Introductory presentations
-The EDPB 2025 pseudonymisation guidance. Gwendal Legrand (EDPB) (to be confirmed)
– Anonymization and pseudonymization case law. Patrice Navarro (Clifford Chance )
Panel discussion
« Navigating EDPB Guidance, Health Data Realities, and Case Law »
This session will explain the data protection issues that DPOs need to be aware of and potentially to approve when AI systems for use by clinicians or patients are being adopted by a healthcare organisation. These issues include checkpoints at the time of procurement and points to be included in service level agreements.
Data protection concerns include the access provided to the AI algorithm from the EHR system and where that processing will take place, including possibly at he patient’s home or at the developer’s site which might be in another country.
Machine learning and AI improvement requires data feedback loops to the developer of the patient level outcome from the AI outputs, which normally needs to be pseudonymised and not anonymised data. The legal basis for these processing steps and flows will be discussed, including the data use and security safeguards to be required of AI developers. DPOs might also need to be involved in the local monitoring arrangements and handling breach and escalation policies related to AI systems.
Transparency and good practice in explainability to patients and clinicians will also be discussed.
Chair
Pierre-Yves LASTIC
EFDPO
Paris, France
Chair
Winnie DONGBOU
MyDataTrust
Paris, France
Panelist 1
Gwendal LEGRAND
EDPB
Paris, France
Panelist 2
Patrice NAVARRO
Clifford Chance
Paris, France
16:15 – 16:45 – COFFEE BREAK AND NETWORKING
16:45 – 18:15 – Plenary 2 – How will EHDS Health Data Access Bodies anonymise and pseudonymise and synthetize data sets?
The EHDS Regulation extends the legal rights under GDPR to authorise Health Data Access Bodies, appointed by each EU country, with powers to perform anonymisation and pseudinymisation of health data sets in order to make them available for research or other secondary uses. This means that they will be legally permitted to anonymise data sets e.g. from a hospital, that have NOT been de-identified at source. Even if this is permitted under extended GDPR, healthcare providers might need assurance of the capability of HDABs to perform this to a suitable high standard and to give immunity to the healthcare data source for any data breaches or compaints that arise.
Chair
Dipak KALRA
I-HD
Gent, Belgium
SPEaker 1
Daniela will
IAPP – International
Bavières, Germany
Speaker 2
Petra Wilson
Health Connect Partners
Oxford, United Kingdom
Speaker 3
Maud DECRAENE
IHU ICAN
Paris, France
18:15 – 20:00 – COCKTAIL AND NETWORKING