GDPR & Health Data
European privacy law that classifies health information as special category data requiring explicit consent and strong protections.
European privacy law that classifies health information as special category data requiring explicit consent and strong protections.
Also known as
General Data Protection Regulation, EU health data rights
Why travellers need to know
Digital health tools used while abroad — apps, telemedicine platforms, online pharmacies — often collect health data. GDPR gives EU (and UK) residents strong rights over how that data is used, but only if the company falls within GDPR's scope.
Real-world example
A British traveller downloads a symptom-checking app while in Spain. After returning home, she realises the app's terms allowed it to sell anonymised health data to insurers. She submits a GDPR deletion request — and under EU and UK GDPR, the company must erase her data within one month.
Country-specific notes
🇪🇺 European Union
Health data requires explicit opt-in consent under GDPR
Unlike basic personal data, health data cannot be processed under "legitimate interest" — it needs a specific legal basis, usually explicit consent or vital interest in emergencies.
Read app privacy policies carefully before entering symptoms or diagnoses — look for where data is stored and whether it leaves the EU.
🇬🇧 United Kingdom
UK GDPR mirrors EU rules post-Brexit
The UK retained GDPR-equivalent protections after leaving the EU. The UK ICO (Information Commissioner's Office) enforces these rules. Your rights are effectively the same as under EU GDPR.
File UK GDPR complaints with the ICO at ico.org.uk — the process is straightforward and free.
🇺🇸 United States
The US has no federal GDPR equivalent — protections are patchwork
HIPAA covers medical providers, but health apps, wearables, and wellness platforms in the US are largely unregulated. Some states (California, Virginia) have consumer privacy laws, but none match GDPR's breadth.
Be especially cautious with US-headquartered health apps that are not subject to HIPAA — your data may be sold or retained indefinitely.
Frequently asked questions
Does GDPR apply to apps I use while travelling in Europe?
It depends on where the app is headquartered and where it processes data. If an app targets EU users or processes data about people in the EU, GDPR applies. Most major apps serving European markets are GDPR-compliant.
What rights do I have under GDPR for health data?
The right to access a copy of your data, correct inaccuracies, request erasure (the "right to be forgotten"), object to processing, and data portability. You can also withdraw consent at any time, which must stop the processing.
Nomedic is fully GDPR-compliant — your records are encrypted and permanently deletable.