How can you control the processing of your health data? Sensitive information! [DPO Notice]

Processing health data requires high standards for personal data protection.

‍

The GDPR strictly regulates the processing of such data, especially when it involves sensitive information related to health, medical history, or behavior.

‍

This article details the key concepts and obligations, as well as the rules specific to data warehouses and the best practices for ensuring compliance.

‍

Key points to remember:

‍

• Health data is sensitive data that is strictly regulated by the GDPR.
• Processing must be based on a clear legal basis, such as public interest, consent, or a legal obligation.
• Data warehouses require governance and enhanced security. Depending on the case, a declaration or authorization from the CNIL may be required.
• An impact assessment (AIPD) is required to evaluate risks.
• To avoid any breaches, it is essential to comply with GDPR principles (minimization, purpose limitation, and transparency).

‍

Additionally, learn how the latest version of Adequacy can address the unique needs of the healthcare sector.

‍

Definition and scope of personal health data

‍

The concept of health data is central to GDPR compliance issues. In order to process this sensitive information, it is crucial to understand what it encompasses, why it is considered sensitive, and what specific examples are involved in practice.

‍

What constitutes health data under the GDPR?

‍

Article 4 of the GDPR defines personal data as any information relating to an identified or identifiable natural person. Health data is considered a special category of sensitive data and is subject to enhanced protection.

‍

Article 9 of the GDPR generally prohibits processing health data unless an exception applies, such as explicit consent, public interest, or preventive medicine.

‍

Health data refers to any information that reveals:

‍

• A person’s past, present, or future physical or mental health status
• Information relating to medical care
• Results of medical examinations, diagnoses, or treatments

‍

Recital 35 of the GDPR further clarifies that this includes identification numbers, biological test results, disability-related information, and health-related lifestyle habits.

‍

Sensitive data: what are the specificities of health data?

‍

Health data falls within the category of sensitive data, alongside biometric and genetic data, as well as data related to political opinions. As such, processing it is subject to stricter rules.

The heightened risks to individuals are what make health data specific: disclosure of medical conditions, discrimination in employment or insurance, stigmatization, etc.

‍

This is why processing health data requires compliance with the following:

‍

• A solid legal basis (Articles 6 and 9 of the GDPR)
• Strict data minimization
• Enhanced protection through technical and organizational security measures (Article 32 of the GDPR)

‍

Practical examples of health data

‍

Some examples of personal health data include:

‍

• Administrative health data: social security number, patient ID (IPP), and hospitalization code.
• Medical data: medical history, diagnoses, imaging results, test results, and prescriptions.
• Well-being data: physical activity, dietary habits, alcohol consumption, tobacco use, and drug use
• Daily life data linked to healt: such as autonomy level, lifestyle (urban or rural), and home care.
• Genetic data: DNA testing results or biological samples

‍

Any such data that directly or indirectly identifies a person falls within the scope of the GDPR.

‍

Risks of misclassification

‍

Failing to recognize data as sensitive can lead to several consequences.

‍

• Breach of the security obligation (Article 32 GDPR).
• Noncompliance with the lawfulness principle (Articles 6 and 9 of the GDPR).
• Administrative fines of up to 4% of annual worldwide turnover.

‍

Therefore, it is critical to train teams in correct data classification and integrate this analysis into the design stage of any processing activity.

‍

GDPR obligations applicable to health data

‍

Processing health data entails strengthened legal requirements. Both controllers and processors must integrate the GDPR’s specific obligations to ensure that processing is compliant, secure, and respects rights.

‍

The legal bases are public interest, consent, and legal obligation.

‍

The GDPR generally prohibits health data processing (Article 9), unless an exception applies. Common legal bases include:

‍

• Explicit consent (Article 9.2.a): This is particularly required in research projects outside the scope of a public interest mission. Consent must be freely given, specific, informed, and unambiguous.
• Performance of a task in the public interest (Articles 6.1.e and 9.2.h or i): applicable to public healthcare institutions or data warehouses regulated by the CNIL.
• Legal obligation: mandatory medical record keeping under public health legislation.

‍

In practice, institutions most frequently use the "public interest" basis under secure and regulated frameworks (e.g., the CNIL reference framework for health data warehouses).

‍

Data minimization and purpose limitation

‍

Article 5 of the GDPR establishes the following fundamental principles:

‍

• Purpose limitation: Data must be collected for specific, explicit, and legitimate purposes. For instance, data collected for medical care cannot be reused without a valid legal basis.
• Data minimization: Only the data that is strictly necessary may be collected. "Just in case" collection is not permitted.

‍

For example, in a research project, if gender or the full date of birth are irrelevant, they must not be processed.

‍

Pseudonymization, anonymization, and data security

‍

Security measures (Article 32 GDPR) must be proportionate to the sensitivity of health data. These measures include:

‍

• Systematic pseudonymization: Direct identifiers are stored separately from medical data in secure environments (a CNIL requirement for data warehouses).
• Anonymization: If no link to the individual is retained, the data may fall outside the scope of the GDPR (provided re-identification is impossible).
• Other measures include encryption, logging, and strict access control : Prevent unauthorized access or data leaks.

‍

An example of good practice is that warehouses must comply with the SEC-LOG-4 to SEC-LOG-6 requirements regarding the physical and logical separation of identifying data.

‍

For more information, we recommend the excellent video by Patrick Tiev, which explains everything.

‍

Compliance mechanisms include records, DPIA, and DPO.

‍

All health data processing must be governed by structured compliance measures:

‍

• Records of processing activities (Article 30 of the GDPR): Mandatory documentation of purposes, categories of data, security measures, etc.
• Data Protection Impact Assessments (DPIAs): Required for high-risk processing, including data warehouses, to demonstrate risk identification and mitigation.
• A Data Protection Officer (DPO): Mandatory for organizations processing sensitive data on a large scale. The DPO ensures ongoing compliance and advises on planned processing.

‍

Organizations lacking a DPO are exposed to frequent compliance failures, particularly in risk management, data subject rights, and documentation. Check out our typing guide!

‍

Focus on health data warehouses: legal framework and governance

‍

These warehouses play a central role in data valorization projects within healthcare institutions. Implementing them requires strict compliance with the GDPR and CNIL reference frameworks. These warehouses enable the structured reuse of data for public interest, research, or healthcare improvement purposes.

‍

What is a health data warehouse?

‍

A health data warehouse is a system designed for processing personal data for the reuse of data collected during medical care. It is not a simple archive or an extended medical record.

‍

Permitted purposes include:

‍

• Producing medico-economic indicators
• Improving care coding
• Assessing research project feasibility
• Developing decision-support tools

‍

According to the CNIL framework, commercial purposes, such as insurance, targeting, and coverage exclusions, are strictly prohibited.

‍

Declaration of compliance or CNIL authorization

‍

The GDPR requires a clear legal basis (Articles 6 and 9). For warehouses, this basis is typically the performance of a task in the public interest (Article 6.1.e).

‍

Two regimes apply:

‍

• A declaration of compliance with the CNIL framework if the project meets all the conditions (purposes, data types, security measures, governance, etc.).
• A specific authorization request is required if one or more conditions are not met (e.g., processing in the private sector outside of the public interest or processing of sensitive data not covered by the framework).
‍

These procedures are carried out online via the CNIL platform.

‍

Governance, security, and retention requirements

‍

A data warehouse requires documented governance, including:

‍

• A steering committee defines strategic directions, validates collected data, and ensures relevance.
• A scientific and ethics committee that systematically reviews projects reusing warehouse data and includes independent members, researchers, healthcare professionals, and patient representatives.
• Access traceability requires mandatory logging, database segmentation, and strong pseudonymization.

‍

Regarding retention, pseudonymized medical data may be stored for up to 20 years, while identifying data must be deleted as soon as it is no longer needed.

‍

For example, if a patient is included in a research project five years after treatment, the pseudonymized data can be reused according to the protocol. However, the directly identifying data must remain separate, secure, and accessible only to authorized personnel.

‍

Logical separation of identifying and analytical data is a fundamental prerequisite. This often involves complex IT infrastructures, restricted access, encrypted correspondence keys, and regular audits.

‍

For research purposes, additional steps are required, such as either complying with a CNIL reference methodology or submitting an authorization request under Article 66 of the French Data Protection Act.

‍

Practical Cases and GDPR Compliance Best Practices

‍

Implementing GDPR compliance for health data requires a tailored approach based on the context, whether it be a public hospital, a digital start-up, or a research project. Examples include:

‍

Case 1: A public hospital implements a data warehouse.

‍

A university hospital implements a data warehouse to analyze care pathways and improve the quality of care. Management relies on the CNIL framework, ensures that the purposes are of public interest, and declares compliance.

‍

Key actions:

‍

• Appointing a DPO from the design stage
• Conduct a full DPIA.
• Automatic pseudonymization upon warehouse entry
• Access control and traceability by user profile

‍

The reference methodology to be applied here is MR-005, which covers the creation and operation of a health data warehouse.

‍

MR-005 covers governance, impact analysis, pseudonymization, security, and the use of data for management and research purposes without individual consent.

‍

The result is that the hospital can use the data to manage its activities and prepare internal research projects without having to request consent systematically again.

‍

Case 2: An academic research project reuses a warehouse.

‍

University researchers want to study treatment side effects using data from the hospital warehouse. Pseudonymized data reuse is required.

‍

Steps taken:

‍

• Submission to the scientific and ethics committee.
• A positive opinion was given, followed by a declaration of compliance with the MR-004 methodology.
• Security framework reviewed by the DPO.
• Documentation in the processing activity records.

‍

The reference methodology here is MR-004 (Research Not Involving Human Subjects).

MR-004 governs observational studies and the secondary use of data from care or data warehouses. Projects must pass before an ethics committee and be registered.

‍

The project can be launched without individual consent because its purposes are compatible with the initial mission and comply with the GDPR and the Data Protection Act.

‍

For more information about Reference Methodologies.

‍

Case 3: Health start-up and digital platform

‍

A start-up develops a post-surgery monitoring app that collects health data directly from patients with their explicit consent.

‍

Compliance measures:

‍

• Consent is collected via a clear interface with granular options.
• Data is limited to functional needs (e.g., symptoms, recovery).
• The app is hosted by a certified health data hosting provider (HDS).
• An external DPO is appointed.

‍

Since there is no public interest mission, processing relies on explicit consent under Article 9.2.a of the GDPR.

‍

Checklist: Ensuring GDPR compliance for health data

These best practices apply equally to large institutions and small organizations. They help anticipate risks, avoid sanctions, and ensure the responsible management of sensitive data.

‍

To conclude, we present the interview with Alexandra Turbellier, the DPO at Fondation Santé Service.

‍

Frequently Asked Questions (FAQ)

‍

• Is health data always considered sensitive?

Yes. According to the GDPR, health data is classified as a special category of data, meaning it is considered sensitive whenever it reveals information about an individual’s physical or mental health.

‍

• Is consent always required to process health data?

No, consent is only required if no other legal basis applies. Processing may also be justified by public interest tasks or legal obligations.

‍

• Can pseudonymized data be used without authorization?

No, because even when pseudonymized, data remains personal. Processing it requires a legal basis and, in some cases, CNIL authorization or declaration.

‍

• What are the penalties for noncompliance?

Depending on the seriousness of the breach, fines can reach up to €20 million or 4% of global annual turnover.