Consent & Data Rights
Understand how data consent works in CRANE and your rights as a participant.
What is the CRANE Data Marketplace?
CRANE is an H2020 Pre-Commercial Procurement European project that aims to develop an integrated self-management model to improve chronic patient's wellbeing through the European Health Data Space concept implementation. The CRANE Data Marketplace serves as a secure digital ecosystem where organisations can publish, discover, and exchange data services under a shared governance framework. It acts as a directory service of governed Data Sources within the CRANE health data ecosystem. Unlike traditional data-sharing arrangements, it provides a structured environment where multiple organisations, including healthcare providers, social care systems, and the welfare tech industry, can participate and enter into bilateral agreements dynamically in a trusted and governed manner.
What is a Data Agreement?
A Data Agreement specifies the precise terms governing how data can be utilised and shared between an individual and an organisation. Often formulated based on a Data Protection Impact Assessment (DPIA), it creates a clear contractual relationship that protects both data providers and consumers whilst enabling legitimate data flows.
What is a Data Disclosure Agreement?
Derived from a Data Agreement, the Data Disclosure Agreement (DDA) formalises the specific conditions under which data is made available and accessed between two organisations. It provides transparency on data characteristics, quality, and permissible use cases before any exchange occurs.
The Data Exchange Agreements (DEXA) Landscape
The diagram below illustrates the Data Exchange Agreements (DEXA) landscape that underpins the CRANE Data Marketplace. It shows how the different agreement types work together to enable trusted, governed data exchange across the ecosystem.
At the centre is the Individual (citizen or patient), connected to organisations through Data Agreements that define the terms of data usage. Organisation A (the Data Source / Issuer / Data Producer) and Organisation B (the Data Using Service / Verifier / Data Consumer) are linked by a Data Disclosure Agreement that governs organisation-to-organisation data sharing. A Data Processing Agreement connects the data Supplier to Organisation A.
Above the individual, a Delegate can act on their behalf through a Delegation Agreement, supporting caregiver scenarios. Each organisation holds a Business Wallet for cryptographic identity verification using eIDAS 2.0, while the Delegate uses an EUDI Wallet.
This framework ensures that every data transaction, whether between an individual and an organisation, or between two organisations, is governed by explicit, auditable agreements aligned with GDPR and the European Health Data Space concept.

Data Exchange Agreements (DEXA) Landscape adopted in CRANE
Trust and Verification
All ecosystem data transactions leverage eIDAS 2.0-based Business Wallets to provide cryptographic verification of each organisation's identity (via Legal Person Identification Data). This technical infrastructure ensures that all marketplace participants are who they claim to be, creating a foundation of trust essential for secure data exchange. As CRANE aims to build trust with patients through transparent and open policies, the use of verifiable credentials and decentralised identity ensures that data sharing is both secure and auditable.
Your Data Rights (Citizens)
A core goal of CRANE is to help citizens move from being passive patients to active, empowered participants in their own health by giving them access, new insights, and control of their own data through GDPR legislation and the European data strategy. As a citizen within the CRANE d-HDSI ecosystem, you have full control over how your personal health data is collected, processed, and shared. Every organisation participating in the ecosystem integrates two key modules into their applications to ensure transparency and empower you to exercise your rights under GDPR.
Privacy Dashboard
The Privacy Dashboard is a data rights management interface integrated into the citizen's mobile application. Built on ISO standards (ISO 27560), it provides a clear overview of every data processing activity involving your personal data.
As shown in the screenshot, the Privacy Dashboard presents an Overview section with contact details for the Data Protection Officer, followed by a list of all Data Agreements associated with your account. Each agreement represents a specific dataset, for example Continuous Glucose Monitoring (CGM), User Registration Data, Insulin Usage, Research Use of Data, or Contractual Purpose. Beside each agreement is a toggle switch showing the current status: Allow (green) or Disallow (grey). You can tap any agreement to view its full details or tap the toggle to change your consent preference in real time.
Through the Privacy Dashboard, you can:

Privacy Dashboard: Citizens can view and control all data agreements with Allow/Disallow toggles
Consent Module
When data is shared between CRANE d-HDSI ecosystem participants, the Consent Module activates to ensure you are fully informed before any data exchange occurs.
The Consent Module presents:
You can review all data attributes that will be exchanged before giving or withdrawing consent, in accordance with Article 7. This ensures every data sharing transaction is transparent and under your control.

Data Agreement details: Citizens can review all data attributes before giving or withdrawing consent
Your GDPR Rights in Practice
The CRANE d-HDSI ecosystem is built on the foundational principles of GDPR Article 5, which requires that personal data is processed lawfully, fairly, and transparently. All data processing within the ecosystem must have a valid lawful basis under GDPR Article 6, whether that is consent, contractual necessity, legitimate interest, or another legal ground.
Through the Privacy Dashboard and Consent Module, you can exercise the following rights:
These rights are built directly into the ecosystem's technical infrastructure, making them easy to exercise without complex legal procedures. The Privacy Dashboard provides a unified view across all participating organisations, ensuring full transparency.
About the CRANE Project
CRANE is an H2020 Pre-Commercial Procurement European project addressing the comprehensive treatment of chronic diseases in rural areas: Region Västerbotten in Sweden, Extremadura in Spain, and Agder in Norway. It aims to empower citizens to become active managers of their own health through secure, transparent data sharing built on the European Health Data Space concept.
Visit the CRANE project website →GDPR Reference