Healthtech companies face the most demanding GDPR compliance environment of any SaaS sector. Health data is special category data — the highest protection tier under the regulation. Processing it without a valid legal basis is a serious violation, and regulators treat health data breaches as priority enforcement cases.
This article covers what GDPR requires from healthtech companies specifically.
Why Health Data Triggers Heightened Requirements
Under GDPR Article 9, health data is "special category data." This means:
- The standard lawful bases for processing (legitimate interest, contract performance, consent) are insufficient on their own
- You need a separate justification under Article 9(2) in addition to a standard Article 6 lawful basis
- You must conduct a Data Protection Impact Assessment (DPIA) before processing health data at scale
- Security obligations are heightened — appropriate to the sensitivity of the data
Health data includes: diagnoses, treatment records, prescriptions, test results, mental health information, biometric data, genetic data, insurance claims data, disability status, and any data that reveals or could reveal a person's health condition.
For healthtech platforms, this typically covers the entire product.
Lawful Bases for Processing Health Data
You need two things: a standard Article 6 basis and an Article 9 basis.
Article 6 — Standard Lawful Basis
For most healthtech B2C products: consent (Article 6(1)(a)) — free, specific, informed, and unambiguous.
For B2B healthtech (processing patient data on behalf of healthcare providers): contract performance or legitimate interests of the healthcare provider — but the healthcare provider controls the data, not you. You are a processor.
Article 9 — Special Category Justification
The most common grounds for healthtech:
| Ground | When it applies |
|---|---|
| Explicit consent (9(2)(a)) | Patient or user explicitly consents to health data processing for the specific purpose |
| Vital interests (9(2)(c)) | Processing necessary to protect life when the person cannot consent |
| Medical treatment and management (9(2)(h)) | Processing by health professionals for healthcare, treatment planning, management — subject to professional secrecy |
| Public health (9(2)(i)) | Processing necessary for public health purposes authorised by law |
| Research with appropriate safeguards (9(2)(j)) | Scientific research with pseudonymisation and strict access controls |
For most B2C healthtech (wellness apps, mental health platforms, diet and fitness trackers): explicit consent is the basis. This means separate consent forms, clear purposes, and easy withdrawal.
For B2B healthtech (clinical software, hospital systems): the healthcare provider justification under 9(2)(h) applies, but only when your platform is directly supporting clinical care.
DPIA Requirements for Healthtech
A Data Protection Impact Assessment is mandatory under GDPR Article 35 when processing is "likely to result in high risk" to individuals. Processing health data at scale always triggers this.
Your DPIA must cover:
- Description of the processing and its purpose
- Assessment of necessity and proportionality
- Risks to data subjects (what could go wrong, how severe, how likely)
- Measures to address those risks
For healthtech platforms, DPIAs must be conducted before:
- Launch of a new health data processing feature
- Significant changes to how health data is processed
- Use of health data for new purposes (e.g., research, ML training)
Revisit DPIAs at least annually or when processing changes.
Consent in Healthtech: Common Failures
Healthtech companies frequently get consent wrong:
Bundled consent: Combining health data consent with terms of service acceptance. Health data consent must be separate, specific, and prominent.
Pre-ticked boxes: Consent is not valid if the checkbox is pre-ticked. Users must affirmatively opt in to health data processing.
Vague purposes: "We use your health data to improve our product" is not a specific enough purpose. Each processing purpose needs its own consent.
No easy withdrawal: Users must be able to withdraw consent at any time without detriment. If withdrawing consent deletes the user's account, that disproportionate consequence undermines the free nature of consent.
Children's health data: If your platform is accessible to under-16s (under-13 in some member states), additional safeguards apply. Parental consent is required for child health data.
Data Processing Agreements for B2B Healthtech
If you process patient data on behalf of healthcare providers (hospitals, clinics, GP practices), you are a data processor. This requires:
- A written Data Processing Agreement (DPA) under Article 28
- Clear specification of what data you process, for what purpose, for how long
- Sub-processor disclosure and management
- Technical and organisational security measures described
Healthcare providers are increasingly sophisticated buyers of healthtech SaaS. They will request and review your DPA, conduct security questionnaires, and may require audits. Have these documents ready before enterprise sales conversations.
Data Breach Response in Healthtech
Health data breaches are treated as high-priority by supervisory authorities. The 72-hour breach notification obligation to the supervisory authority applies, and notification to affected individuals is required if the breach "is likely to result in high risk."
For healthtech, almost any breach of health data will meet the "high risk" threshold — the sensitivity of the data means even limited exposure can cause significant harm (discrimination, stigma, insurance impact).
Health data breach response must:
- Have a clear incident response procedure pre-established
- Include specific health data in the breach severity assessment
- Notify affected patients promptly if at risk
- Coordinate with the healthcare provider if the data was processed on their behalf