English

Français

Mini GDPR audit: 5 minutes to identify your site's major errors

Support
Solutions
- Offloading compliance
  Automate your GDPR obligations and free up time for your core business
  
  Managing compliance
  Stay in control of your compliance with intuitive dashboards
  
  Proving compliance
  Easily demonstrate your compliance during audits and controls
  
  Anticipating regulations
  Identify and prevent data protection risks
  
  Enhancing compliance
  Make your GDPR compliance a trusted asset and a growth lever
  
  Explore our features in detail
  
  Intuitive tools accompanied by legal support to help you achieve GDPR compliance.
  
  Read more
For whom?
- Health
  Secure your sensitive data in full compliance
  
  Human resources
  Ensure the compliance of your HR data
  
  Tech
  Develop GDPR products
  
  Finance
  Strengthen confidence through exemplary compliance
  
  Group
  Manage your multinational compliance with excellence
  
  ETI
  Your group-wide GDPR compliance
  
  SMES
  An expert external DPO at the right price
  
  Startups
  Scaling serenely with your GDPR compliance
  
  Discover other sectors
  
  Dipeeo stands out for its ability to offer comprehensive GDPR solutions tailored to the specific needs of each business sector.
  
  Read more
Rates
Resources
- Practical guides
  GDPR expertise simplified into actionable guides
  
  Models
  Ready-to-use templates to save time
  
  Case clients
  Concrete success stories that inspire compliance
  
  Webinars
  Expert sessions to deepen your knowledge
  
  Videos
  GDPR compliance explained quickly
  
  Discover GDPR news
  
  Keep up to date with the latest regulatory developments and their impact on your business.
  
  See the blog
Blog
About us
- Our history
  Genesis and development of Dipeeo
  
  Our Talents
  Meet the team that makes Dipeeo your partner of choice
  
  Press area
  In the news
  
  Join our team
  
  Your talent, our adventure: write the next chapter with us. Join a multidisciplinary team where lawyers, developers, strategists and innovators work together to build tomorrow's solutions.
  
  View positions

English

Français

The GDPR and health data: What you need to remember!

February 13, 2025

-

The GDPR and health data: What you need to remember!

The General Data Protection RegulationGDPR health ) imposes an obligation of secrecy on healthcare data, guaranteeing the confidentiality of patients' personal information. In the event of a breach of this obligation, severe legal consequences may be incurred, such as fines and penalties.

What's more, the GDPR grants individuals a legal right to protect their health data and to obtain redress in the event of a data breach. It is therefore crucial for healthcare professionals to scrupulously comply with GDPR rules in order to guarantee the security and confidentiality of their patients' health data.

GDPR compliance for players handling healthcare data has several specificities. Find out the questions and answers here.

Managing healthcare services now requires strict compliance with the GDPR regulation.

These regulations aim to protect sensitive patient data and guarantee confidentiality.

It's essential for healthcare players to increase their vigilance when it comes to processing personal data. This summary provides you with the key information to remember to ensure GDPR compliance in healthcare.

GDPR health

According to the GDPR, as a matter of principle health data is sensitive personal data

Among the types of personal data, there are those known as sensitive. These include data on religion, sexual orientation, but also health data. The GDPR health must be considered sensitive. This is a special category of data.

Health data is data relating to physical or mental health. It may be information relating to a natural person collected during registration, a social security number, information obtained during a test or examination of a body part, or information relating to a disease.

This encompasses certain measurement data from which it is possible to deduce a person's state of health . This is very common in today's innovative models. In the context of health data processing, the rights of individuals are specific. For example, occupational medicine deals with health data.

Turn the GDPR
into a business asset Request a demo

Two examples of companies processing personal data in the healthcare sector

A platform for doctors and patients to contact each other and book appointments. Doctolib goes one step further, enabling the transmission and storage of documents such as prescriptions and test results. The platform manages patients' personal data , such as names and e-mail addresses, as well as health-related data, such as the specialties of doctors visited, healthcare professionals, prescriptions for medicines intended for healthcare professionals, etc. The nature of the data exchanged is sensitive.

Controls insulin delivery for diabetic patients. This is a real revolution for diabetes patients. Blood sugar levels are continuously measured, and the diabeloop application defines the quantity of insulin to be delivered. The application is based on a prediction model that is enriched by a large-scale patient database. Personal data is at the heart of Diabeloop's business . The diabetes sector is particularly innovative. It has transformed patient care in recent years.

Download the Happy Peach case study

Find out how Happy Peach was able to ensure its GDPR compliance to integrate into the healthcare ecosystem and regulatory environment.

The GDPR topics most frequently encountered by healthcare players for data protection.

1 - Hosting health data in France and with a health data hosting provider (HDS)

Healthcare data must be stored in France and on an HDS server. This is a principle that is described beyond the GDPR, in the loi informatique et liberté. Indeed, the GDPR allows for some local specificities, particularly in healthcare.

It is therefore essential to control the tools used to store personal health data, to make sure that they are HDS servers.

Controlling your service providers is also key . In fact, especially on your websites and digital tools, technical service providers such as authentication, forms... process your users' personal data.

It is important to create a list and ensure that personal data is stored in France on HDS-certified servers. This is one of the key elements carried out during GDPR compliance implementation.

In most cases, companies are not required to obtain HDS certification. It's a complex certification process. It is preferable to use a service provider who can provide HDS servers.

Please note that we often talk about health data warehouses. This is a different subject from HDS, which is not a mere formality. We'll be coming back to this subject shortly on the Dipeeo website.

GDPR health

2-Prior consent is required for any processing of an individual's health data.

With the exception of hospitals, health establishments or institutes for research purposes, in order to process an individual's health data, consent must be obtained from the individual concerned. This may take the form of a box to tick or a document to sign, for example.

Processing personal data is more than just storing it. A simple transfer of information by your tools, without storage, is recognized as processing personal data.

3 - Medical research requires a declaration or request for authorization from the CNIL

The legal framework for medical research varies according to a number of criteria. In particular, whether the research is "internal" or "multi-centric". The latter calls for more formalities, since patients' personal data will be exposed to more players. In this case, you will need to apply for "research" authorization ( www.entreprendre.service-public.fr/vosdroits/R18457 ) or make a commitment to comply with MR-001, MR-002 or MR-003, depending on the case.

The CNIL (National Commission for Information Technology and Civil Liberties) has produced a guide on the subject, with the aim of helping those involved in the process to secure patient data: Medical research: what is the legal framework? | CNIL (National Commission for Information Technology and Civil Liberties)

GDPR health

4 - GDPR clauses must be included in research protocols

A research protocol must be drawn up for medical research. This document specifically sets out the agreements between the various parties. These agreements define the responsibilities of each party. GDPR clauses must be drawn up and are necessary to define what happens to each of the personal data processed during the study. This also defines the responsibilities of each player with regard to this data and potentially the levels of security to be put in place to secure it. It's all about safeguarding the interests of each stakeholder. This involves CRO (Contract Research Organization) type organizations accompanied by a DPO for GDPR clauses.

5 - Sanctions in the healthcare sector imposed by the CNIL (National Commission for Information Technology and Civil Liberties) are very heavy CNIL (National Commission for Information Technology and Civil Liberties)

Healthcare is the field where controls are most frequent. Sanctions here are the most severe and costly after assessment by the CNIL (National Commission for Information Technology and Civil Liberties) and finding of non-compliance with the GDPR. The CNIL CNIL (National Commission for Information Technology and Civil Liberties) does indeed have a public service mission and must ensure compliance with the GDPR. This is an area where deviations can lead to significant discrimination. They have a very strong negative impact in the event of data leakage or misuse of data. It is essential to follow good practice in the healthcare sector. Sanctions can be avoided if the rules are respected.

For example, DEDALUS BIOLOGIE was fined €1.5m following a data leak.

Read the video on GDPR and healthcare data - Dipeeo

6 - Hospital partnerships require GDPR compliance to ensure security

GDPR compliance is now an essential part of hospital operations. When considering a potential partner, hospitals are going to have to ensure that the partner is GDPR compliant. It's an obligation for the hospital to be GDPR itself. Especially if you're going to be processing patient data or data from employees or someone else in the hospital. A hospital or clinic will systematically refuse an association with a non-compliant player.

7 - Special obligations if you process personal data on behalf of another party.

If you process personal data on behalf of a hospital or other organization, then you are a "processor" within the meaning of the GDPR. The hospital will be the data controller.

This implies some responsibilities:

You'll need to include a clause in your T&Cs stating that you process personal data and take Accountability any data leakage.
As a processor, you will be responsible for setting up a register of processing activities. In particular, this must specify the Purpose of each processing activity.
You'll also need to ensure the compliance of your technical service providers , who are themselves processors , but are part of your structure.

8 - You have a digital platform. You need to carry out a "privacy by design

Your digital product processes personal data as part of the exercise of your service (example: drug delivery, patient transport, appointment scheduling...). You need to check the compliance of the digital product as soon as the product is designed, or at the very least when you become GDPR. You need to ensure that the management of systems handling personal data is compliant.

In other words,

Are Data retention periods respected?
Are the necessary consents in place?
Are users adequately informed about the treatments carried out?
Is the technical security of the data sufficient for the sensitivity of the data?
Are the technical providers of the digital product compliant?
Are users offered access rights? Or are they unable to access them?

GDPR health

Dipeeo