Full definition
GDPR (General Data Protection Regulation, EU 2016/679) is the EU/EEA's comprehensive data-protection regulation. It applies to any organisation that processes the personal data of EU/EEA residents — regardless of where the organisation is headquartered (extraterritorial reach). Penalties reach the higher of €20M or 4% of annual global turnover for serious breaches.
GDPR core obligations: lawful basis for processing (consent, contract, legitimate interests, etc.), purpose limitation, data minimisation, accuracy, storage limitation, security, accountability. Data subject rights: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection. Health data is "special category data" with elevated requirements — explicit consent or specific exceptions, more rigorous security, and (typically) Data Protection Impact Assessments for processing.
For healthcare specifically: cross-border transfer of patient data outside the EEA requires safeguards (Standard Contractual Clauses, adequacy decisions for the destination country, or specific consent). The European Health Data Space (EHDS, in force 2025-2026) adds a layered framework for primary use (clinical) and secondary use (research, public health) of health data.
Where gdpr (general data protection regulation) is used
- Any clinic operating in the EU or EEA
- Any clinic processing data of EU/EEA residents (extraterritorial reach)
- Cross-border medical-tourism patient flows
- Multi-national hospital groups with EU presence
- Telemedicine providers serving EU patients
- Clinical research with EU/EEA participants
Types of gdpr (general data protection regulation)
Lawful basis: consent
Explicit, informed, freely given, withdrawable. Strict standard for health data.
Lawful basis: contract
Processing necessary to fulfil a contract with the data subject.
Lawful basis: legitimate interests
Used carefully — must pass balancing test against data subject rights.
Article 9 special category data
Health data falls here — elevated requirements.
Cross-border transfer mechanisms
SCCs, BCRs, adequacy decisions, derogations.
Quantified benefits
- ▸Strong patient-trust framework
- ▸Mature compliance ecosystem (DPOs, supervisory authorities)
- ▸Adequacy decisions enabling cross-border transfer to several countries
- ▸Aligned with most other modern data-protection regimes worldwide
Frequently asked
Does GDPR apply if I'm outside the EU?+
Yes — if you process data of EU/EEA residents (e.g., serving medical tourists, telemedicine to EU patients), GDPR applies extraterritorially.
Is consent required for all healthcare processing under GDPR?+
No — but explicit consent is one of the strongest bases. Other bases include public interest in public health, vital interest, and (for some processing) legitimate interest. Healthcare-specific lawful bases under Article 9 are well-defined.
What are the GDPR penalties?+
Up to the higher of €20M or 4% of annual global turnover for the most serious breaches. Tier-2 violations: €10M or 2% of turnover. Smaller breaches at the supervisory authority's discretion.
How does MOVO-X handle GDPR?+
Per-clinic GDPR configuration, audit logging, encryption at rest and in transit, data-residency in the EU for EU clinics, and Data Processing Agreement with every clinic. EU GDPR compliance is part of standard product.
What about EHDS?+
European Health Data Space adds a primary-use (clinical) and secondary-use (research, policy) framework for health data. MOVO-X supports the EHDS interoperability requirements (FHIR-native) and is preparing for full EHDS compliance as the regulation rolls out 2025-2027.