EU GDPR Legal Framework and Compliance Resources |

The EU legal framework for Health applications and data

Requirements defined by GDPR and other data protection laws in the EU

Data Protection in the EU

The most important law in the EU Data Protection regulatory framework is the General Data Protection Regulation - GDPR, which calls for the harmonization of the rules on the protection of EU citizens’ data (contrary to what the old directive 95/46/EC did).

However, since the GDPR defines high level requirements and user rights, there are other laws (e.g. ePrivacy Regulation - or the new Cookie law envisioned for 2019) and soft laws released by official bodies (such as art. 29 Working Party and ENISA), which must be considered in light of their contribution to the most recent and important guidelines on data protection and security.

What is "Health Data" under EU laws

According to the GDPR, Health Data are "all data pertaining to the health status of a data subject” (See recital 35 and art. 4(15) GDPR). As such, they can be considered as a sub-category of Personal Data. The definition provided by the GDPR is further explained by the Art. 29 Working party, the EU body with advisory status on data protection matters, which allows to identify situations in which personal data can be considered as Health Data.

Examples of Health Data can be heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, heartbeat tracking, diseases and many others.

Although the definition provided by the GDPR may seem clear, the presence of some “grey areas” makes data categorisation difficult. Therefore it is essential to define the type of data you will collect: different data bring about different legal challenges. To gain an insight into the legal issues and assess your data collection needs, you can download our Decision Tree, or perform a 5 minute self-assessment test.

Data Controllers & Data Processors

To start with privacy law compliance, it is fundamental to understand the service delivery chain and to identify who's the subject responsible for the processing of data in your case.

GDPR and EU data protection laws identify different figures in the liability chain:

  • Data Subjects: service users to whom data belong.

  • Data Controllers: the entity responsible for data collection and management. If you are delivering your services directly to consumers (e.g. a fitness/disease tracking app), then you are the Controller.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
    Note that Controllers have to satisfy some organizational requirements that are listed later on.

  • Data Processors: are entities that help you in delivering a service. for example is a Data Processor since it provides a set of services to you.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you would be appointed as Data Processor.

Assigning roles is the first step toward the identification of the requirements to be satisfied and implemented within your system.

Requirements for Data Controllers & Processors

Technical Requirements

A typical cloud application has different components on the backend side that are responsible for the user, data and application logic management. The list of technical safeguards affects mainly the API, user and health data. They include:

Organizational Requirements

Their main aim is to ensure that the developers’ data processing is legal and that their service is properly regulated. These measures must be analyzed case by case with lawyers in order to identify implications related to your specific data processing. makes documentation much easier.

Implementing technical requirements is complex, expensive, risky in case of errors, and time-consuming. strengthens all safeguards offering developers a set of APIs that can be easily integrated within apps or servers to store sensitive data securely.

For example, we assist you in explaining to customers and Data Protection Authorities how you process and store collected data. Nonetheless, supplementary legal advice might still be necessary for a comprehensive analysis.

To learn more, download our guide on health apps GDPR and HIPAA compliance

EU Data Protection and cyber security directives & laws

The reference website for updates on Data Protection in the EU is:

The reference website for updates on Cyber Security strategy in the EU is:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(Text with EEA relevance).

  • Directive 95/46/EC of the European Parliament and of the Council of the 24th of October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as the Cloud. It will be improved by the upcoming GDPR.

  • Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and the free movement of such data of the 18th of December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.

  • Directive 2009/136/EC of the European Parliament and of the Council of the 25th of November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.

  • Directive 2002/58/EC of the European Parliament and of the Council of 12th of July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

  • Council Framework Decision 2008/977/JHA of the 27th of November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

  • Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).

Other relevant documents and opinions

Member States Laws

The question on "if and how single Member State privacy laws differ from EU Directives and among each other" is a very difficult one to answer.

Although EU Regulations (e.g. GDPR) are directly enforceable within the Member States, national laws can impose additional and more rigorous requirements than those set by supranational laws. Such complexity calls for a careful analysis of the national laws of the State in which you are delivering your service.

At the changes and evolutions, especially those related to our business, are constantly monitored. Our security measures, internal practices and healt data management procedures ensure compliance within each Member State.

It is important to point out that not all security requirements are thoroughly defined by the EU privacy laws. Usually, laws and directives set general principles for the encryption of health and sensitive data or the implementation of security standards. These security standards are usually defined by specific bodies such as ENISA.

National level certifications or public bodies (e.g. hospitals) might require the fulfilment of other specific conditions. Their specificity advocates a case-by-case examination (e.g. of those in France which represent a huge obstacle for startups and innovation), For instance, hospitals frequently ask to deploy services within their own server farm or to implement old-fashioned security strategies like VPN. helps companies to solve these challenges. For any question or doubt, do not hesitate to contact us at

Some useful resources:

Still have questions?

Check our FAQ

At we work full-time to solve these issues for you