Kristof Van Quathem and Anna Oberschelp de Meneses of Covington & Burling write:
On July 12, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint opinion on the processing of patient data and the role of the European Commission within the eHealth Digital Service Infrastructure (“eHDSI”).
[…]
The opinion focuses particularly on the processing of patient data. It confirms that Member States act as “joint controllers” and the European Commission acts as a processor. The opinion indicates that the European Commission has “a certain degree of involvement in the processing of personal data, also in terms of defining security and communication standards”. However, the European Commission does not have a “decision-making power in terms of defining the purpose or the essential means relating to the processing operation.”
Read more on InsidePrivacy.