EU GDPR Legal Framework and Compliance Resources |

Resources regarding privacy law compliance in EU

Main resources to start with privacy law compliance

EU Data Protection Laws

According to the EU Commission Health Data are "all data pertaining to the health status of a data subject"

This includes heart rate (ECG), weight tracking, blood pressure, healthcare payments, step counts, hearthbeat tracking, diseases.

According to the EU Commission "the fact that a someone has broken her leg, that a person is wearing glasses or contact lenses, data about a person's intellectual and emotional capacity (such as IQ), information about smoking and drinking habits, data on allergies disclosed to private entities (such as airlines) or to public bodies (such as schools); data on health conditions to be used in an emergency (for example information that a child taking part in a summer camp or similar event suffers from asthma).

The category also includes health related data used in an administrative context, such as data disclosed to public bodies on whether one’s household includes individuals with specific diseases and/or disabilities for the purpose of tax deductions or other allowances. .

Health data also include: 'information derived from the testing or examination of a body part or bodily substance, including biological samples' and: any information about 'disease risk' and about 'the actual physiological or biomedical state of the data subject independent of its source'.. "

and much much more .. read the EU article for a full definition of health data

According to the Art. 8 of the Data Protection Directive (95/46/EC) health data as a special category of data to which a higher level of data protection applies

Data Controllers & Processors

To start with privacy law compliance, first of all it is fundamental to understand the service delivery chain and to identify the liability chain that apply to your case.

According to EU data protection law there are 3 different roles:

  • Data Subjects: service users to whom data belong to.

  • Data Controllers: the entity responsible for data collection and management. If you are delivering your services directly to consumers (e.g. a fitness/disease tracking apps), then you are the Controller.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are not (usually) nominated as Data Controller.
    Note that Controllers have to satisfy administrative requirements that are listed later on.

  • Data Processors: are entities that help you delivering a service. for example is a Data Processor since it provides a set of services to you.
    If you are delivering your service to a hospital, and then the hospital delivers your services to its users, then you are usually nominated as Data Processor.

Assigning roles is the first step towards identifying what are the requirements you must satisfy and implement within your system.

Requirements for Data Controllers & Processors

Technical Requirements

These safeguards must be implemented to protect data. They require huge amount of work, knowledge and time. They include:

  • Access control

  • Encryption of data in transfer

  • Encryption of data at rest (Storage)

  • Secure audit log

  • Backup strategy

  • Reliability (QoS and SLA)

  • .....

Infrastructural Requirements

You must choose a IaaS provider that satisfies all EU rules for processing and storage of sensitive data. The provider must ensure:

  • Reliable hosting infrastructure

  • Processing and storage located in the EU

  • Physical infrastructure protection

  • Certification depending on the nature of your health app

  • .....

Administrative Requirements

These requirements need to be considered case by case involving lawyers & privacy experts. They include:

  • Provide you security risk assessments

  • Help you on documenting your data processing

  • Help you on Data Portability

  • Help you on Right to be Forgotten

  • .....

Implementing technical and infrastructural requirements is complex, expensive, risky in case of errors, and time consuming. Here you can check by yourself with our Calculator. implements all safeguards and offers to developers a set of API that can be easily integrated within apps or servers to store securely sensitive data.

Administrative requirements must be analysed case by case to discover implications related to your specific data processing. makes it easier for example to clarify to Data Protection Authorities and to your customers how you process and store collected data. However you may need to involve lawyers and experts for completing the overall analysis.

EU Data Protection and Cyber Security Directives & Laws

What is the European Legislation about Data Protection?

The reference website for updates about Data Protection in the EU is:

The reference website for updates about Cyber Security strategy in the EU is:

  • Proposal for a European General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) It defines a single data protection law in EU and it has been approved at the beginning of 2016.

  • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive) Harmonises national laws which require high-quality data management practices on the part of the “data controllers” and the guarantees of a series of rights for individuals. It provides generic description about categories of data and general data protection principles. It doesn’t mention security safeguards and it has been defined many years ago so it does not mention topics such as as Cloud. It will be improved by the forthcoming GDPR.

  • Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data of 18 December 2000. It regulates the processing of individuals' personal data when the processing is taking place by Community institutions and bodies.

  • Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services.

  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

  • Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.

  • Agreement on the first EU-wide legislation on cybersecurity of the European Parliament, the Council and the Commission. (12/2015).

Other relevant documents and opinions

Member States Laws

The question "if and how single Member State privacy laws differ from EU Directives and among each other" is very difficult to answer.

In cases when we have EU Regulations (e.g. GDPR) the question is not relevant, since regulations are directly enforceable within Member States, since they are laws and not directives.

Otherwise, Member States must implement the principles stated by EU Directives into national laws. In some States this process consisted in simple translation of directives text, while in other cases (e.g. Italy) the national laws contain some specific interpretations.

For this reason it is important to analyse always national of the state where you are delivering your service. There could be differences for example in notifying Data Protection Authority. Other principles like data storage location cannot change.

At we constantly monitor the changes and evolutions especially what it relates to our business. For example we ensure that our security measures, internal practices and procedures for managing health data ensures compliance within each Member State.

It is important to point out that at EU level privacy laws do not define in detail all security requirements. Usually laws and directives state general principles such as that health and sensitive data must be encrypted, or that best security standards must be implemented. Those security standards are usually defined by specific bodies such as ENISA.

Another aspect to keep in mind is the national level certifications or specific requirements that a public body (e.g. hospital) can impose to you.

While national level certifications are present only in France ( and represent a huge obstacle for startups and innovation), specific requirements at hospital level must be considered case by case. For example frequently hospitals ask to deploy services within their own server farm, or to implement old-fashio security strategies like VPN.

At we aim at helping companies in solving these challenges. Whenever you will have a question do not hesitate to contact us at

Some useful resources:

Still have questions?

Check our FAQ

At we work full time on solving these issues for you