Contact
Contact us

Health data: definition and legal framework

  • Published: April 29, 2025

What are health data, how are they classified, and what is the legal framework applicable to them? Aumans Avocats, a law firm specializing particularly in data protection law, answers these topical questions.

1. Definition and characteristics of health data

This definition includes, among other things, the following aspects:

The scope of the notion of health data1 is particularly broad and covers the physical or mental state, past, present or future, of any natural person. Article 4(15) of the GDPR2 defines health data as “personal data relating to physical or mental health of a natural person, including the provision of health care services, which reveal information on the state of health of that person”.

  • The number, identifier or symbol assigned to an individual for the purpose of identifying them for processing.
  • Diseases, symptoms, disabilities, risk of disease, medical history
  • The results of medical examinations (biological analysis, imaging, etc.)
  • The medical and hospital records
  • The prescriptions and orders (medicinal, scanner, MRI, etc.)
  • The genetic information
  • The biometric data used for identification (fingerprints, retina)
  • The data relating to lifestyle habits (diet, physical activity, alcohol consumption, tobacco consumption, etc.).
  • The information relating to a clinical treatment or psychological condition.
  • The answers to a questionnaire (allergy, pregnancy)
  • The data generated by medical devices (blood glucose levels, sleep apnea, etc.)
  • The information obtained from samples (tissues, blood, fluids, etc.).

2. Origin and classification of health data

Health data are classified accordingly, regardless of their origin: they may originate from a hospital, a physician, a connected device, or a laboratory. What matters here is their direct or indirect link to a person’s health.

These data, categorized as “sensitive data,” may reveal intimate information about a person. An illicit use of such data could result in serious repercussions regarding the rights and freedoms of the individuals concerned. That is why their classification as “specific category of data”3 within the meaning of the GDPR aims to distinguish them from personal data due to their nature, their sensitivity and the particular risks linked to their processing. This distinction allows them to be subject to a reinforced legal framework on the one hand with specific legal bases such as explicit consent or public interest, but also to ensure on the other hand that they benefit from a higher level of protection.

It is noteworthy that the Court of Justice of the European Union (CJEU) issued a judgment on October 4, 2024 (C21-23)4 in which it interpreted the concept of health data in the context of the sale of medicines – with or without a medical prescription – by online pharmacies. The Court held that information collected during the ordering of medicines – even when their sale does not require a medical prescription – must be considered health data. This includes personal data such as name or address, provided that it is used in a context revealing elements about a person’s health condition.

In the present case, during an online order, this information allowed linking an individual to a specific medication, its therapeutic indications or its usage. Thus, although this data did not appear directly related to health at first glance, its association with information on medications was sufficient to qualify it as health data. Therefore, it must be processed in accordance with the regime and requirements applicable to health data.

3. Legal framework applicable to health data in France

Despite a prohibition on processing in principle, Article 9 of the GDPR provides several legal bases for the processing of health data, including:

  • The explicit consent of the individual: the individual must give their consent freely, specific, informed, and unambiguous. According to the EDPB5 (European Data Protection Board) guidelines on consent, a person whose health data is intended to be subject to processing must be able to freely choose whether to accept or refuse it, without being subjected to pressure or negative consequences. This consent must be given for one or more specific treatments. The individual must receive sufficient information to understand exactly what they are consenting to. This transparency is essential for them to make an informed decision. Finally, the consent must be expressed in an active manner.
  • Safeguarding the vital interests of the person concerned.
  • Public interest in the field of public health.
  • Scientific research: According to the CEPD guidelines on consent, scientific research “corresponds to a research project established in accordance with the methodological and ethical standards of the relevant sector in accordance with best practices”6.
  • Preventive medicine or occupational medicine

This question of the legal basis must be approached depending on whether it involves a “primary use” (such as the direct use of health data within the context of care) or a “secondary use” (which consists of subsequently processing data originally collected for other purposes). This type of processing is particularly common in the context of health data warehouses (EDS)7, which allow for the centralization of data for the provision to projects such as scientific research. These warehouses therefore play a key role in the exploitation of data for diverse uses while respecting the requirements of the GDPR.

4. The key role of the CNIL regarding health data

In France, the National Commission for Information and Liberty (CNIL) plays a crucial role in ensuring compliance with GDPR obligations and the Informatique et Libertés Act.

His responsibilities include, in particular, in the field of healthcare:

  • The publication of specific reference models (for example, for health data warehouses).
  • The support of actors
  • The imposition of sanctions based on violations of the GDPR and the Informatique et Libertés Act, whether committed by public or private entities.
  • The publication of reference methodologies, practical guides, news, etc.

More generally, the CNIL plays a key role with the concerned parties, in order to actively disseminate its tools and to raise awareness of compliance with applicable legislation and regulations. The current framework resulting from the GDPR and the LIL could also evolve significantly in the coming years, given notably the developments reserved for its public consultation launched in 2024 concerning reference methodologies.

As a specialist in data protection law, the Aumans Avocats law firm provides support to numerous healthcare stakeholders, particularly in the field of e-health legal support.

  1. https://www.cnil.fr/fr/quest-ce-ce-quune-donnee-de-sante ↩︎
  2. https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679 ↩︎
  3. https://www.cnil.fr/fr/reglement-europeen-protection-donnees/chapitre2#Article9 ↩︎
  4. https://curia.europa.eu/juris/document/document.jsf?text=&docid=290696&pageIndex=0&doclang=fr&mode=req&dir=&occ=first&part=1&cid=4250678 ↩︎
  5. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_fr ↩︎
  6. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_fr ↩︎
  7. https://www.cnil.fr/fr/traitements-de-donnees-de-sante-comment-faire-la-distinction-entre-un-entrepot-et-une-recherche-et ↩︎

AUMANS AVOCATS (formerly FOUSSAT AVOCATS & DEROULEZ AVOCATS)
AARPI
Paris +33 (0)1 85 08 54 76 / Lyon +33 (0)4 28 29 14 92 /
Marseille +33 (0)4 84 25 67 89 / Bruxelles +32 (0)2 318 18 36

Contact us

Categories

Share

Related Articles

RGDP Définition

What is GDPR?

4 July 2025

Introduction : The main principles of the GDPR. Today we will discuss the principles of the GDPR. When we talk

Read more »
All our blog articles