Health data and data privacy: storing sensitive data under GDPR

Under GDPR law, sensitive data is in a much higher risk category than other types of personal data. Businesses that store sensitive health data should focus on GDPR administrative and technical recuirenments.

Health data and data privacy: storing sensitive data under GDPR

Under GDPR, health data is a special category of data with more stringent protections than other types of personal data. Businesses that store health data should focus on GDPR administrative and technical requirements.

Art. 4(15) of the EU General Data Protection Regulation (GDPR), defines data concerning health as: “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.

Besides health data, special categories of data include sexuality, racial or ethnic origin, political opinions, religious or other beliefs, trade union memberships, biometrics which identify a person, genetic information, and information on criminal offences and convictions.

Such data provide more significant information about a person and so receive special protection.

CHBM and GDPR: health data case study

In October 2018, the Centro Hospitalar Barreiro Montijo (CHBM) was fined €400,000 for various breaches of the GDPR relating to health data. The Portuguese DPA started to investigate CHBM following a complaint from the Sindicato dos Médicos da Zona Sul (Medical Workers Union of the Southern Zone). They reported that non-clinical staff were using ‘medical’ profiles to access CHBM’s computer system. This meant that they were potentially able to view patient’s health data.

CHBM were fined €400,000 for 3 breaches of the GDPR relating to health data. Their argument that they were not responsible because the software was provided by a 3rd party was dismissed.

After inspecting the hospital, the Portuguese DPA found that the hospital's account management practices were deficient. They found 985 users were registered on the system with ‘Physician’ permissions, but only 296 physicians were actually employed. One test profile was set up with the same unrestricted access as the ‘technical’ profile, and nine social workers had been given access to confidential patient information. The hospital argued that it was not responsible for these deficiencies as they used the IT system provided to public hospitals by the Portuguese Health Ministry.


However, the DPA found it was the hospital's responsibility to ensure that adequate security measures were implemented. It failed to respect patient confidentiality and limit access to patient data, and to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services.

You can read more about this case and the lessons you can learn in our recent blog. As we show, data privacy is taken seriously by DPAs in the EU, and GDPR is being enforced for every size of business.

Rules for storing sensitive data under GDPR

  • From an administrative point of view, managing sensitive data requires you to provide explicit consent forms to your users, perform a DPIA, assign roles in your company, notify the Data Protection Authority in your country (in some cases), and many other tasks.


  • From a technical point of view, you must implement measures including authentication and access control procedures, data encryption at record level, secure transmission between your mobile app and servers, pseudonymisation or anonymisation to reduce risks when you process the data, non-modifiable audit logs, disaster recovery and systems to give users access and deletion rights for their data, among other things.

How does help with health data and data privacy? lets you securely store any data object with just 1 API call, leaving you to focus on your app and your users. Use your favourite dev framework and keep your algorithms on your cloud.