Shieldra
GDPR Framework Guide
GDPR (Regulation (EU) 2016/679) is the EU’s comprehensive data protection law, applied directly across the EU/EEA since 25 May 2018. For healthcare, the pivotal provision is Article 9: data concerning health is a special category whose processing is prohibited unless an Article 9(2) condition plus an Article 6 lawful basis both apply.
Who GDPR applies to
- Establishment in the EU: a controller or processor with an EU office is covered, wherever the processing happens (Art. 3(1)).
- Offering goods or services to people in the EU — including a free patient portal or app — even with no EU presence (Art. 3(2)(a)).
- Monitoring the behaviour of people in the EU, such as tracking or analytics on EU patients (Art. 3(2)(b)).
Health & special-category data (Article 9)
- Data concerning health, genetic, and biometric data are special categories whose processing is prohibited by default.
- Process special-category data only when an Article 9(2) condition applies — commonly explicit consent or the provision of health or social care.
- The Article 9 condition must sit on top of an Article 6 lawful basis; both must be satisfied.
Data subject rights & breach notification
- Honor access, rectification, erasure, restriction, portability, objection, and limits on automated decision-making (Arts. 15-22).
- Respond to requests within one calendar month (Art. 12(3)); the first copy is free.
- Notify the supervisory authority of a notifiable breach within 72 hours (Art. 33), and affected individuals when risk is high (Art. 34).
How GDPR is enforced
- Lower tier (Art. 83(4)): up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
- Upper tier (Art. 83(5)): up to €20 million or 4% of total worldwide annual turnover, whichever is higher.
- As of 2026 the largest single GDPR fine is €1.2 billion (Meta, Ireland’s DPC, May 2023); cumulative fines have exceeded €6 billion.
Frequently asked questions
What is GDPR in simple terms?
GDPR is the EU’s General Data Protection Regulation (Regulation (EU) 2016/679), in force since 25 May 2018. It sets EU-wide rules for how organizations handle the personal data of people in the EU, gives individuals strong rights, and backs the rules with fines up to €20 million or 4% of global turnover.
Does GDPR apply to US healthcare companies?
It can. Under Article 3, GDPR applies to any organization that offers goods or services to people in the EU or monitors their behaviour. A US telehealth platform, clinic, or health-tech vendor serving EU patients can be subject to GDPR in addition to HIPAA, even without a physical EU presence.
How is GDPR different from HIPAA?
HIPAA is a US sector-specific law protecting PHI held by covered entities and business associates. GDPR is an EU-wide, all-sector law protecting all personal data of people in the EU, with health data treated as a special category under Article 9. GDPR grants broader rights, requires 72-hour breach notification, and carries far larger turnover-based fines.
When does GDPR require a Data Protection Officer?
Article 37 requires a DPO when an organization is a public authority, regularly and systematically monitors individuals at large scale, or processes special-category data such as health data at large scale. Hospitals and many digital-health providers therefore typically must appoint a DPO.
