Health data is the most protected category under GDPR — here's what digital health founders need to know.
Why Health Apps Face the Strictest GDPR Obligations
Not all personal data is treated equally under GDPR. Health data sits in a special category — alongside biometric data, genetic data, and mental health records — that attracts the highest level of regulatory scrutiny and the most stringent compliance obligations.
Article 9 of GDPR explicitly prohibits processing special category data unless one of a narrow list of exceptions applies. For health apps, this isn't a theoretical concern. If your app tracks symptoms, records medications, monitors menstrual cycles, collects fitness metrics, or even asks users to self-report whether they feel anxious or tired — you are processing special category health data, and the baseline GDPR rules are not enough.
The consequences of getting this wrong are severe. Regulators have shown they treat health data violations as priority enforcement targets. The Irish DPC fined Meta €265 million for a data breach. France's CNIL has targeted health data processors specifically. In the UK, the ICO has signalled that health app compliance is a growing enforcement focus.
What Counts as Health Data Under GDPR
Article 4(15) defines health data as "data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status."
That definition is broader than most founders expect. Health data includes:
- Symptom tracking — recording that a user has a headache, fatigue, or shortness of breath
- Medication logs — tracking what drugs a user takes, at what doses, and when
- Mental health data — mood tracking, anxiety scores, depression screening questionnaires
- Fitness metrics with diagnostic inference — heart rate data combined with age and weight can infer cardiovascular health status
- Menstrual and reproductive tracking — cycle data, ovulation predictions, fertility indicators
- Biometric data — fingerprints, facial geometry
- Genetic data — DNA, ancestry data, predisposition information
When in doubt, treat it as Article 9 data and apply the stricter rules.
Explicit Consent: Why Standard Consent Isn't Enough
For special category health data under Article 9, explicit consent is required. This is a higher bar than ordinary consent under Article 6. Explicit consent requires:
- A clear, affirmative act — a pre-ticked box is not valid
- Specific purpose disclosure — tell users exactly what health data you're collecting and why
- Separate consent for each distinct processing purpose
- A withdrawal mechanism — as easy as giving consent
- Age verification for under-16 users
- Written records of consent
When You Need a Data Protection Officer (DPO)
Article 37 requires a DPO for organisations processing special category data at scale or conducting systematic monitoring. For most live health apps, a DPO appointment is mandatory. External DPO services are a cost-effective option for startups.
DPIAs: Mandatory Before Launch
Article 35 requires a Data Protection Impact Assessment before processing that is "likely to result in a high risk" to individuals. Large-scale processing of health data always triggers this requirement. Run your DPIA before writing production code — and revisit it whenever you add new data categories or SDKs.
Third-Party SDKs: The Hidden Compliance Risk
Analytics tools (Firebase, Mixpanel), crash reporters (Crashlytics, Sentry), and advertising SDKs can inadvertently capture health data. You need Data Processing Agreements with every SDK provider, and explicit user consent for each processing purpose.
Cloud Storage and EU Data Residency
AWS, Google Cloud, and Azure are data processors. You need DPAs with each. For international transfers, use Standard Contractual Clauses or consider EU data residency (AWS eu-west-1, GCP europe-west1, Azure West Europe).
User Rights for Health Data
- Right of Access (Article 15) — compile and export within 30 days
- Right to Data Portability (Article 20) — consider FHIR format for health data exports
- Right to Erasure (Article 17) — document what can be deleted vs. what must be retained
- Right to Restriction (Article 18) — support a "frozen" data state
NHS and Clinical Partnerships
For UK-market health apps working with the NHS: complete the NHS DSPT annually, assess CQC registration requirements, pursue DTAC assessment for NHS App Library listing, and apply the Caldicott Principles.
Compliance Checklist
Pre-Launch: DPIA, identify health data categories, design explicit consent flows, assess DPO requirement, audit third-party SDKs, choose EU data residency.
Launch: Activate DPAs, implement consent management, set up breach response, document RoPA.
Scale: Annual DPIA review, data retention automation, quarterly sub-processor audits, DSPT/DTAC for NHS market.
Before you write another line of code, run a free privacy scan at app.custodia-privacy.com/scan to identify trackers, consent failures, and third-party data flows in your current product.
Originally published at Custodia Privacy Blog
Top comments (0)