Health-related data under the GDPR

How can the pharmaceutical, medical device and healthcare sectors collect health-related data properly?

Pharmaceutical and medical device companies, along with the healthcare sector, select a variety of sensitive personal data. This means they have to observe special rules for processing health-related data under the General Data Protection Regulation (GDPR), which will apply from 25 May 2018. The GDPR updates and replaces current national data protection rules with a single, pan-European law for personal data protection.

From May 2018, companies collecting and using health-related data will have to rely on a lawful basis for collecting both personal and sensitive personal data.

Personal health-related data continue to be treated as sensitive personal data requiring explicit consent from the data subject. The definition has been broadened to include biometric and genetic data. The GDPR clearly states that processing sensitive data is prohibited without explicit informed consent (except where member states prohibit the use of consent). Only very limited exemptions are available.

For valid consent, the GDPR requires a freely granted, specific, informed, and unambiguous indication of an individual’s wish (for example, active opt-in). Companies must be able to prove that consent was duly granted in the shape of evidence of consent obtained from specific data subjects. Consent must be obtained in an easily accessible form (not hidden), using clear, plain language that the data subject can easily understand. Individuals must be able to withdraw their consent in the same or similar way in which it was granted. Companies will need to carefully consider the wording of consents and the means by which consent is achieved.

Besides consent as a legal ground, collection and use of health-related data is further allowed under a contract with a health professional (subject to professional secrecy foreseen by law) if processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care or treatment, management of health or social care systems and services (the ‘medical care’ ground). Consent is not required if processing is necessary for public health reasons (the ‘public health’ ground).

The GDPR recognizes that it is unrealistic to require scientists to list all purposes in a consent form at the time data are collected. This means that individuals should be allowed to give their consent to certain areas of scientific research if recognized ethical standards for scientific research are respected. In turn, companies might also rely on scientific research as a valid ground for data processing.

However, country variations may be possible as Member States may decide on specific provisions – including those governing the processing of personal data for research purposes. Member states can introduce further conditions around the processing of sensitive personal data including, in particular, health data.


Numerous innovations go hand in hand with increased requirements, fines and liability risks. As a result, companies in the pharmaceutical, medical device and healthcare sector may find themselves challenged in adapting their internal processes to the new data protection rules. These new rules force companies to build in data protection by design and by default, to carry out privacy impact assessments for riskier or larger scale projects, and to implement privacy-friendly techniques such as pseudonymisation, data minimisation and encryption. National law developments must be observed, too, as member states may establish additional requirements applicable to health-related data processing.

Note: Would you like to discuss this topic? Do not hesitate to join our business breakfast “GDPR: How can the pharmaceutical, medical device and healthcare sectors collect personal data properly” on 14 December 2017 at bnt attorneys in CEE Vilnius office. More information will be coming soon under

Subscribe to our newsletter

By pressing Subscribe you consent to our data processing terms