In year 1 of the SEISMED project, the Katholieke Universiteit Leuven coordinated the inventory and analysis of medical personal data protection legislation in Europe. A report on legal issues of medical data protection legislation in Europe was written by the Vrije Universiteit Amsterdam, the Centre National pour la Recherche Scientifique (Paris) and the University College Dublin. This report served as a basis for a second important legal deliverable, i.e. the Health Informatics Deontology Code. In this third and final report, we take into account the results of the other two legal reports and we formulate recommendations for the national and European legislator. This report analyses critically the upcoming privacy directive. We propose several recommendations which should be taken into account by the European and national legislator. We focused quite extensively on the use of medical data for research purposes. We had several reasons to do this. One of them is the fact that the use of medical data for research purposes is very popular, in particular now the health care sector is becoming more and more ‘standardized’ by using computers, networksystems and telematics. Legislation is therefore needed. Moreover, the use of medical data for research purposes involves the transfer of data from one Member State to another. Therefore, a harmonized legislation is really needed. We hope that the recommendations we propose, will be taken into consideration by the European legislator.