Mobile health and GDPR: regulation explained well

Share this post on:

Mobile health or m-health is that branch of electronic health or e-health that encompasses information and communication technologies (ICTs), wearable devices and other tools for the prevention, promotion, treatment and maintenance of health.

More generally, mobile health can be defined as the informed use of smart devices and medical sensors to improve people’s quality of life.

Table of contents

Mobile health applications

Emerging technologies in m-health are:

Health mobile devices collect clinical data and monitor vital signs to provide personalised digital assistance. To do this, however, they must comply with GDPR guidelines.

Mobile health and GDPR

EU Regulation 2016/679, known as the General Data Protection Regulation (GDPR), defines the requirements that apps and mobile devices must meet in order to process personal data while remaining compliant with the regulation.

User consent

Articles 7 and 9.2(a) stipulate that device manufacturers and m-health app developers – as data controllers – must obtain the free, specific, informed, unambiguous and explicit consent of the data subject in order to process his or her personal data.

This must be done before the app is installed for acknowledgement (and understanding). The data controller must also be able to prove that the data subject (user or patient) has given consent to the processing of personal data.

According to Article 7.3 of the GDPR then:

Purpose limitation, data minimisation and secondary purposes

Article 5.1 b states that personal data may be collected for certain, explicit and legitimate purposes. Furthermore, the processing must not last longer than necessary and only process data that is strictly necessary for the functioning of the app or mobile device.

The purposes also include research of a scientific or historical nature, which is considered compatible with the original purposes provided that all national and European provisions are complied with.

Default privacy

According to Article 25.1 of the GDPR, the device manufacturer and the app developer must choose by default the least invasive solution for the privacy of the user or patient.

The text reads: «the data controller shall implement appropriate technical and organisational measures […] aimed at effectively implementing the data protection principles» from the planning (design) to the implementation of the device or app.

The obligation applies to the amount of personal data collected, the scope of the processing, the retention period and accessibility. These measures ensure, by “default”, that personal data are not made accessible to an indefinite number of natural people without the intervention of the data owner.

Simple and accessible information

Another important point of the GDPR is Article 12, which stipulates that processing information must be provided:

Furthermore, according to Article 13 of the GDPR, information on the processing of personal data must obligatorily contain:

Preservation and security

Personal data may not be kept longer than necessary, unless otherwise stipulated by law. Indeed, the European Commission’s “Privacy Code of Conduct on Mobile Health APPs” recommends that data controllers define the criteria for deletion of personal data and communicate them to users in a timely and appropriate manner. This should be communicated before the app is installed or the device is used and, in any case, before personal data are collected.


The fact that advertisements appear in the app must be communicated to the user in advance; however, if the advertisements are shown without requiring the processing of personal data, the data controller only has to provide the user and/or patient the possibility of removing the advertisements.

Differently, if the displayed advertisements require the processing of personal data, the consent of the data subject must be requested before installation through the “opt-in” clause specifically and separately.

Transferring data abroad

Users and/or patients must be informed about the transfer of their personal data abroad to countries outside the EU/EEA. In the event of transfer, data must be protected by appropriate measures (e.g. standard contractual clauses and Binding Corporate Rules).


Pursuant to Article 33.1 of the GDPR, in the event of a personal data breach, the data controller shall notify the breach to the competent supervisory authority (e.g. the Garante della Privacy) within 72 hours of becoming aware of it.

If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by the reasons for the delay. In addition, Article 34.1 states: «when the personal data breach is likely to present a high risk for the rights and freedoms of natural persons, the controller shall notify the data subject of the breach».


Mobile health apps and devices intended for minors must, according to Article 2-quinquies of the Privacy Code, ensure that the minor has already reached the age of 14 in order to be able to give consent to the processing of personal data.

Otherwise, consent is lawful if given by the person exercising parental responsibility. In any case, a more restrictive approach must be taken with regard to minors.

The goals of the WHO

One of the goals of the World Health Organisation (WHO) is to spread mobile health procedures, apps and devices as widely as possible to achieve universal health coverage.

Mobility, not only digital transformation and dematerialisation, is in fact the answer to the needs of a more dynamic citizenship, typical of smart cities.

If mobile health, in compliance with the GDPR and the law in general, can really help citizens to book a doctor’s appointment, quickly receive the results of blood and urine tests and, with slightly more sophisticated tools such as portable ECGs, monitor their own state of health, so be it.

Mobile health changes medical research, expands the concept of medicine and improves people’s lives. According to data from the European Commission, there are now more than 100.000 mobile health apps.

If you too are interested in mobile health and its untapped potential, contact us. IPPOCRATE AS is a company specialised in the acquisition of European funds for medical research since 2004, we work both with Italy and abroad.

For more information call us or write to us by filling in the contact form below. We will be happy to help you find the right mobile health solution for your needs.

Looking for e-health project partners? You found it in IPPOCRATE AS!
This site uses cookies to improve users' browsing experience and to collect information on the use of the site.