Back to blog

Health data and GDPR: Best practices for analytics in the EU

Analytics Healthcare

Written by

Published October 27, 2021 · Updated April 12, 2023

Health data and GDPR: Best practices for analytics in the EU

Analytics platforms give organizations the power to gain insights into how visitors use their websites, apps and products. They also indicate areas that require improvement. Depending on the setup of your platform, your analytics data may or may not contain personal data. If your organization operates in the healthcare sector, analytics data could also reveal details about a person’s health. That might be the case, for example, with:

  • Web pages frequently visited by a patient checking their medical information stored on the hospital’s servers
  • The information gathered from self-diagnosis websites, apps or software that can be integrated with, or qualifies as, a medical device

If data you collect contains health details, you need to handle it with extra caution, as it is governed by strict data protection legislation. In this article you will learn which European regulations cover the use of health data, what responsibilities you shoulder and what best practices you should follow.

Collecting health data under GDPR and the ePrivacy Directive: where to start?

Many different complementary laws apply to the use of health data. When talking about web analytics, the ePrivacy Directive (ePD) is the first one that springs to mind. The ePD regulates the use of cookies, tags and other tracking technologies, and is implemented within national legislations across Europe. This means that the rules are slightly different in each Member State. 

The ePrivacy Regulation, which will unify the various pieces of legislation across the EU Member States, is set to come into effect in the next few years. But before this happens, the ePD and its national implementations are still in force. The ePD requires you to get consent for using non-functional cookies, such as marketing or analytics cookies.

Important note! Some European countries, such as the Netherlands, provide an exception for analytics cookies. As long as they have a minimal impact on individuals’ privacy and are privacy-friendly, consent is not needed here. 

To learn more about national implementations of GDPR, read this: Everything you need to know about cookie consent in the EU.

The General Data Protection Regulation (GDPR), which regulates the use of personal data, defines consent and specifies it should be freely given, specific, informed and unambiguous.

What is health data according to the GDPR?

Another concept defined by the GDPR is health data. Health data is a special category of personal data which relates to someone’s physical or mental health. This also includes information gathered when a patient receives treatment.

That said, this definition has some gray areas. For example, if someone searches through a self-diagnosis website, does this constitute health data? Without additional identifiers, such as name or contact details, this data doesn’t necessarily relate to a specific person. Someone could also visit websites with medical advice, looking for information needed for someone else’s treatment, for study, work, or personal interest. The use of certain websites may not necessarily constitute health data. 

However, things are quite different when it comes to the information gathered from a patient’s medical file or software which qualifies as a medical device. Analytics data from such software will most likely, and without additional measures, constitute health data.

Medical device and software: Software that is intended to be used for a medical purpose, such as diagnosing or treating a disease, injury or disability is classified as a medical device under European legislation. Software that is used to predict a disease or disability may also qualify as such. This includes Software-as-a-Service (SaaS), Artificial Intelligence (AI) and on-premises software.

The purposes of collecting and processing health data

The GDPR establishes that the processing of health data is forbidden unless an exception applies. For example, processing health data is necessary when a medical professional provides treatment and documents this in the patient’s file. But when processing health data for another purpose, consent is required in most cases. 

National legislation often poses additional obligations for processing data for other purposes than it was initially collected. For health data, most countries have a form of doctor-patient confidentiality, which means that treatment data may only be used for a specific treatment. Sharing this data with third parties, including other medical professionals, generally demands the patient’s consent

Processing health data in the EU: transparency is key

If organizations want to use cookies or process health data that isn’t bound by doctor-patient confidentiality, then consent is needed in most cases within Europe. Moreover, transparency is required when using cookies in healthcare IT systems, such as in software, websites and mobile apps

This is a good practice also for creating cookie banners and privacy policies, even if you don’t plan to collect health data. Stating clearly why certain information is collected and processed assures the visitor or user that their data is handled properly. This will also provide clear insights into the values and motives of an organization.

Being transparent helps convince website visitors or app users to allow for the use of analytical cookies. Using GDPR-compliant analytics platforms could also help with providing a privacy-friendly website or software for visitors or users. 

Piwik PRO offers an analytics platform that can be hosted locally (in a safe private cloud in a dedicated database or dedicated hardware, or on-premises in the client’s cloud subscription) and lets organizations choose a tracking method that satisfies their privacy needs. Gathering statistics about the most popular pages can be done fully anonymously and still empower organizations to evaluate and improve their online activities. This applies only if such data isn’t combined with third-party data from other tools; otherwise, there is a risk of individuals being identified.

All in all, processing health data via analytics platforms requires extra caution. Using locally hosted software and only collecting anonymous data can help companies fulfill their legal obligations while still bringing business value

Additional reading:


Laura Monhemius

Legal advisor at ICTRecht

Laura Monhemius is part of ICTRecht’s privacy team as a legal advisor. Laura supports organizations with drafting agreements, data protection impact assessments, legal advice, policy documents and conducting negotiations. She specializes in the specific legal challenges in the field of privacy and healthcare. In addition, she is CIPP/E and CIPT certified.

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free