Healthcare organisations face the most demanding GDPR obligations of any sector because of the nature of the data they process. Health data is explicitly classified as special category data under Article 9, requiring not only a lawful basis under Article 6 but also a specific condition under Article 9(2) for processing to be lawful. The consequences of a health data breach are severe — financial loss, discrimination, and reputational harm can flow from the unauthorised disclosure of a single patient’s diagnosis.
Healthcare organisations must also navigate the intersection of GDPR with sector-specific legislation — national health law, the EU Clinical Trials Regulation (CTR), and the European Health Data Space (EHDS) regulation — that creates both lawful bases for processing and additional governance obligations beyond GDPR’s core requirements.
Article 9 and Health Data: The Double Requirement
Processing health data requires both a lawful basis under Article 6 and a condition under Article 9(2). Neither alone is sufficient. An organisation that has a legitimate interests basis under Article 6(1)(f) for processing patient data but no Article 9(2) condition cannot lawfully process that data. The most commonly applicable Article 9(2) conditions for healthcare are explicit consent (9(2)(a)), vital interests (9(2)(c)), healthcare treatment purposes (9(2)(h)), and public health (9(2)(i)).
ARTICLE 9(2) CONDITIONS — HEALTHCARE APPLICATIONS
| Article 9(2) Condition | When It Applies in Healthcare | Key Limitation |
|---|---|---|
| (a) Explicit consent | Patient explicitly consents to processing of their health data for a specific purpose (e.g. research participation, sharing with a specific third party) | Consent must be explicit (not implied); freely given (no detriment to care for refusal); specific to the purpose; withdrawable without detriment; not appropriate as the sole basis for treatment-necessary processing |
| (c) Vital interests | Processing necessary to protect life where data subject cannot consent (e.g. emergency treatment of unconscious patient) | Only applies where data subject is physically or legally incapable of consenting; not a substitute for consent where consent is obtainable |
| (h) Healthcare treatment (with professional secrecy) | Processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care treatment, or management of health or social care systems | Must be carried out by a health professional subject to professional secrecy; or by another person subject to an equivalent obligation of secrecy under member state law |
| (i) Public health | Processing necessary for reasons of public interest in the area of public health (disease monitoring, epidemiology, ensuring high standards of healthcare quality and safety) | Must be provided for in member state law; must include suitable safeguards for data subject’s rights; must not be used for commercial purposes |
| (j) Scientific research and statistics | Processing necessary for archiving in the public interest, scientific or historical research, or statistical purposes | Must be in accordance with Art. 89 safeguards (pseudonymisation; access controls; purpose limitation); cannot be used for general commercial analytics |
Clinical Trial Data Governance
Clinical trials involving human subjects generate some of the most sensitive personal data in healthcare: participant identity, health conditions, interventional procedures, adverse events, and genetic data. The EU Clinical Trials Regulation (EU) No 536/2014 and GDPR apply concurrently to clinical trial data, creating a governance framework that requires explicit GDPR compliance within the CTR’s operational requirements.
CLINICAL TRIAL GDPR REQUIREMENTS
| Area | Requirement | Implementation Note |
|---|---|---|
| Lawful basis for trial participation data | Art. 6(1)(a) consent or Art. 6(1)(e) public task; Art. 9(2)(a) explicit consent or Art. 9(2)(j) research | Informed consent under CTR is typically also GDPR explicit consent; must be documented, specific, and withdrawable; consent form must include GDPR information |
| Participant information and consent | GDPR Art. 13/14 information must be incorporated into the Participant Information Sheet and Informed Consent Form; must explain data processing, transfers, retention, and rights | Trial-specific privacy notice integrated into consent documentation; plain language; available in all languages of trial sites; version-controlled |
| Data subject rights in clinical trials | Participants retain GDPR rights; however Art. 17(3)(d) exempts erasure where data is necessary for scientific research; Art. 89 safeguards must be in place | Erasure requests from trial participants assessed against Art. 17(3)(d) and trial necessity; restriction, objection, and access rights remain; procedure documented |
| Transfer of trial data to non-EEA countries | Trial data frequently transferred to global sponsor (often US-based); Chapter V mechanism required; SCCs for data transfer to sponsor | SCCs executed between trial site (controller) and sponsor (controller or processor depending on arrangement); TIA for US-based sponsors |
| Sponsor vs. investigator controller/processor roles | If sponsor determines purposes and means: sponsor is controller; investigator operates as processor for that data; if investigator determines treatment, investigator is independent controller for clinical data | Role characterisation critical; Art. 26 arrangement where joint controllership; Art. 28 DPA where processor relationship; documented before trial commences |
| Data retention | CTR requires trial data retained for minimum 25 years; GDPR storage limitation principle does not override this regulatory obligation | Art. 6(1)(c) legal obligation provides retention basis for 25-year CTR requirement; data not used for commercial purposes during retention without separate basis |
Secondary Use of Health Data for Research
One of the most practically complex GDPR issues in healthcare is the secondary use of clinical data — using health data originally collected for treatment purposes for scientific research, epidemiology, or health service planning. GDPR provides a specific framework for this in Articles 5(1)(b) and 89, but the conditions are strict and require documented safeguards.
SECONDARY USE OF HEALTH DATA — GDPR FRAMEWORK
| Secondary Use Type | Applicable GDPR Provision | Required Safeguards |
|---|---|---|
| Scientific research using treatment data | Art. 5(1)(b): research is not incompatible with original collection; Art. 9(2)(j): research basis; Art. 89 safeguards | Pseudonymisation of data used for research; access controls limiting research team to minimum data; research ethics approval; data sharing agreement with research organisation |
| Epidemiological studies | Art. 9(2)(i) public health or Art. 9(2)(j) research; Art. 6(1)(e) public task where applicable | Data minimisation; pseudonymisation; output is aggregate/statistical; researchers subject to confidentiality obligations |
| Healthcare quality improvement | Art. 9(2)(h) healthcare management; Art. 6(1)(c) or (e) legal obligation or public task | Purpose limitation to healthcare improvement; access restricted to authorised quality teams; results used only for quality improvement, not commercial purposes |
| Sale or commercial use of anonymised health datasets | Only permissible if data is genuinely anonymised (not merely pseudonymised); EDPB three-part anonymisation test must be satisfied | Full anonymisation assessment documented; no mapping table retained; re-identification risk assessed; not permissible if re-identification risk cannot be reduced to negligible |
The European Health Data Space
The European Health Data Space (EHDS) Regulation, adopted in 2024, creates a framework for sharing health data across the EU for primary use (patient care) and secondary use (research, innovation, policy). The EHDS introduces new obligations for health data holders and new rights for patients, and operates alongside GDPR rather than replacing it.
EHDS AND GDPR — KEY INTERACTIONS
| EHDS Element | Interaction with GDPR |
|---|---|
| Personal health data space (MyHealth@EU) | Cross-border sharing of patient records; GDPR transfer mechanisms apply for non-EEA transfers; EHDS provides the national law basis for EEA cross-border sharing |
| Patient right to access electronic health data | EHDS access right builds on GDPR Art. 15 access right; additional specific health data access right under EHDS; must be technically implemented |
| Opt-out for secondary use | EHDS provides opt-out mechanism for secondary use of health data; controllers must implement opt-out; GDPR right to object (Art. 21) and right to restrict (Art. 18) complement EHDS opt-out |
| Health data access bodies | EHDS creates national health data access bodies with power to authorise secondary use; GDPR accountability applies to all processing authorised by access bodies |
| Data altruism | EHDS includes data altruism provisions allowing individuals to donate health data for research; GDPR consent requirements apply to data altruism donations |
| BITLION INSIGHT | Healthcare organisations should not treat GDPR as a compliance layer on top of their clinical governance. The most effective healthcare privacy programmes integrate GDPR requirements into the clinical information governance framework — consent forms, research ethics processes, clinical audit procedures, and data sharing agreements — rather than running a separate compliance programme. The GDPR DPO and the clinical information governance lead should be in regular dialogue; in many healthcare organisations, the most effective arrangement is a single person with both responsibilities or a small team that covers both domains. The risk of running two separate frameworks is that each addresses the organisation’s obligations incompletely. |