The General Data Protection Regulation

Requirements defined by GDPR and other data protection laws in the EU

Data Protection in the EU

The most important law in the EU Data Protection regulatory framework is the General Data Protection Regulation – GDPR, harnonises the rules on the protection of EU citizens’ data.

However, the GDPR only defines high level requirements and user rights. How the GDPR is interpreted depends on national Data Protection Authorities and official bodies, such as the European Data Protection Board and ENISA. There are also other laws e.g. ePrivacy Regulation, or the new Cookie law envisioned for 2019.

What is "Health Data" under EU laws

According to the GDPR, Health Data are "all data pertaining to the health status of a data subject” (See recital 35 and art. 4(15) GDPR). As such, they are considered as a special category of Personal Data. The definition provided by the GDPR is further explained by the European Data Protection Board (formerly the Art. 29 Working party), the EU body with advisory status on data protection matters. This identifies situations in which personal data will be considered as Health Data.Examples of Health Data can be heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, heartbeat tracking, diseases and many others.Although the definition provided by the GDPR may seem clear, the presence of some “grey areas” makes data categorisation difficult. Therefore, it is essential to define the type of data you will collect: different data bring about different legal challenges. To gain an insight into the legal issues and assess your data collection needs, perform a 5 minute test .

Data Controllers & Data Processors

To achieve privacy law compliance, it is fundamental to understand the service delivery chain and to identify who is responsible for the processing of data in your case.

GDPR and EU data protection laws identify different roles:

Data Subjects: individual users to whom the data belongs.

Data Controllers: the entity responsible for data collection and management. If you are delivering your services directly to consumers
(e.g. a fitness/disease tracking app), then you are the Controller.
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.

Data Processors: are entities that help you in delivering a service., for example, is a Data Processor since it provides a set of services to you.
If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you would be a Data Processor.

Assigning roles is the first step in identifying the requirements to be satisfied and implemented within your system.

Requirements for Data Controllers & Processors

Technical Requirements

These typically relate to your backend. A typical cloud application has different components on the backend side that are responsible for user management, data storage and application logic. The technical safeguards affect mainly the API, user management and health data.

Organisational Requirements

These ensure that the data processing is legal and that their service is properly regulated. These measures must be analysed case by case with lawyers in order to identify implications related to your specific data processing. can assist with this.

Still have questions?

Implementing technical requirements is complex, expensive, risky and time-consuming. strengthens all safeguards, offering developers a set of APIs that can be easily integrated within apps or servers to store sensitive data securely.

To learn more, download our eBook on GDPR and HIPAA compliance for health applications.

EU Data Protection and cyber security directives & law

The reference website for updates on Data Protection in the EU is:
The reference website for updates on Cyber Security strategy in the EU is:

Member States Laws

The GDPR defines a minimum level of data protection for EU citizens. Member states are allowed to enforce stricter controls and many of them do so. As a result, you need to carefully analyse the national (and even state-level) laws of all countries you want to operate in. helps many companies to solve these legal challenges. We offer you a free assessment to help you work out exactly what you need to do in order to comply.