EU GDPR Legal Framework and Compliance Resources |

Resources regarding privacy law compliance in EU

Main resources to start with privacy law compliance

Data Protection in EU

When analyzing the EU Data Protection environment, the most important act to be considered is the GDPR (the acronym for General Data Protection Regulation). This new legal instrument aims at harmonizing a great amount of rules regarding privacy and security of EU citizens’ data, which were previously (with the old directive 95/46/EC) fragmented. Together with GDPR, other sources and official bodies (such as art. 29 Working Party and ENISA) must be kept monitored, since they contribute at implementing the most recent and important guidelines on these matters.

What is "Health Data" under EU laws

According to the GDPR Health Data are "all data pertaining to the health status of a data subject” (See recital 35 and art. 4(15) GDPR). As such, they can be considered as a sub-category of Personal Data. The definition provided by GDPR is further broadened by the Art. 29 Working party, the EU body with advisory status on data protection matters, which allows to identify situations when personal data can be considered as Health Data.

Examples of Health data can be heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, heartbeat tracking, diseases and many others.

Although the definition provided by GDPR may seem clear, there are still some “grey areas”, where data are difficult to categorize. It is fundamental to understand what type of data you are collecting: you can assess that by downloading our Decision Tree, a 5 min. test where you will be able to understand from a legal point of view the different legal challenges depending on the type of data you collect.

Data Controllers & Processors

To start with privacy law compliance, it is fundamental to understand the service delivery chain and to identify who's the subject responsible for the processing of data in your case.

GDPR and EU data protection laws identy different figures in the liability chain:

  • Data Subjects: service users to whom data belong to.

  • Data Controllers: the entity responsible for data collection and management. If you are delivering your services directly to consumers (e.g. a fitness/disease tracking apps), then you are the Controller.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
    Note that Controllers have to satisfy organizational requirements that are listed later on.

  • Data Processors: are entities that help you delivering a service. for example is a Data Processor since it provides a set of services to you.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are usually nominated as Data Processor.

Assigning roles is the first step towards identifying what are the requirements you must satisfy and implement within your system.

Requirements for Data Controllers & Processors

Technical Requirements

A typical cloud application has different components on the backend side that are responsible for the user, data and application logic management. The list of technical safeguards affects mainly the API, user and health data. They include:

  • Access control

  • Encryption of data in transfer

  • Encryption of data at rest (Storage)

  • Secure audit log

  • Backup strategy

  • Reliability (QoS and SLA)

  • .....

Organizational Requirements

Their main aim is to ensure that the developers’ data processing is legal and that their service is properly regulated. These measures must be analyzed case by case with lawyers in order to discover implications related to your specific data processing. With documentation this is much easier. They include:

  • Provide you security risk assessments

  • Help you on documenting your data processing

  • Help you on Data Portability

  • Help you on Right to be Forgotten

  • .....

Implementing technical requirements is complex, expensive, risky in case of errors, and time consuming. implements all safeguards and offers to developers a set of API that can be easily integrated within apps or servers to store securely sensitive data.

Organizational requirements must be analysed case by case to discover implications related to your specific data processing. makes it easier for example to clarify to Data Protection Authorities and to your customers how you process and store collected data. However you may need to involve lawyers and experts for completing the overall analysis.

EU Data Protection and Cyber Security Directives & Laws

The reference website for updates about Data Protection in the EU is:

The reference website for updates about Cyber Security strategy in the EU is:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(Text with EEA relevance)

  • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as as Cloud. It will be improved by the forthcoming GDPR.

  • Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data of 18 December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.

  • Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.

  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

  • Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

  • Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).

Other relevant documents and opinions

Member States Laws

The question "if and how single Member State privacy laws differ from EU Directives and among each other" is very difficult to answer.

Although EU Regulations (e.g. GDPR) are are directly enforceable within Member States, national laws can impose further and stricter requirements than those listed in supra-national laws. For this reason it is important to analyse always national laws of the state where you are delivering your service.

At we constantly monitor the changes and evolutions especially what it relates to our business. For example we ensure that our security measures, internal practices and procedures for managing health data ensures compliance within each Member State.

It is important to point out that at EU level privacy laws do not define in detail all security requirements. Usually laws and directives state general principles such as that health and sensitive data must be encrypted, or that best security standards must be implemented. Those security standards are usually defined by specific bodies such as ENISA.

Another aspect to keep in mind is the national level certifications or specific requirements that a public body (e.g. hospital) can impose to you.

While national level certifications are present only in France ( and represent a huge obstacle for startups and innovation), specific requirements at hospital level must be considered case by case. For example frequently hospitals ask to deploy services within their own server farm, or to implement old-fashio security strategies like VPN.

At we aim at helping companies in solving these challenges. Whenever you will have a question do not hesitate to contact us at

Some useful resources:

Still have questions?

Check our FAQ

At we work full time on solving these issues for you