GDPR and Your Health Data: Your Rights in the EU and UK Explained

Your health data is among the most intimate information that exists about you. It reveals conditions you may not have disclosed to family members, medications that carry social stigma, genetic predispositions that could affect your employment, and mental health histories that touch the core of your identity. Recognising this, the General Data Protection Regulation (GDPR) places health data in a special category that receives stronger protection than almost any other type of personal information.

Since GDPR came into force in May 2018 — and its UK equivalent, the UK GDPR, took effect after Brexit — European and British residents have had a comprehensive set of rights over the health data held about them by hospitals, GP practices, insurers, pharmaceutical companies, health apps, and AI diagnostics platforms. Yet most people have never exercised a single one of those rights, often because they do not know what those rights are, who they apply to, or how to invoke them. This article changes that.

What Counts as Health Data Under GDPR

The Special Category Definition

GDPR Article 9 defines health data as personal data related to the physical or mental health of a natural person, including the provision of healthcare services, that reveals information about their health status. The scope is deliberately broad. Clinical records, diagnoses, lab results, imaging, prescriptions, and discharge summaries are the obvious examples. But the definition extends further: data inferred from wearable sensors, genetic sequencing results, biometric data used to identify someone, health insurance claims, pharmaceutical dispensing records, and even data entered into a consumer wellness app all qualify as health data if they reveal something about a person's health status.

This matters because the legal threshold for processing special-category data is much higher than for ordinary personal data. An organisation cannot rely on vague legitimate interests to process your medical history. They must identify one of a limited number of explicit legal bases — most commonly your explicit consent, a legal obligation in the field of health and social care, or a task carried out in the public interest such as public health surveillance. If they cannot point to one of these bases, their processing is unlawful.

Who Is Bound by GDPR

GDPR applies to any organisation that processes the personal data of EU residents, regardless of where the organisation itself is based. UK GDPR applies to any organisation processing the data of UK residents. In practice, this means that a US-based health app with European users is bound by GDPR. A Singaporean telemedicine company treating UK patients is bound by UK GDPR. The territorial reach is one of GDPR's most significant features, and it is one reason why the regulation has become a de facto global standard. If you are an EU or UK resident and a company holds your health data, GDPR almost certainly applies to them.

Your Eight Core GDPR Rights Over Health Data

The Right to Be Informed

Before any organisation processes your health data, Article 13 and 14 require them to tell you who they are, what data they are collecting, why they are collecting it, the legal basis for processing, how long they will keep it, whether it will be shared with third parties, whether it will be transferred outside the EU or UK, and what rights you have. This information must be provided in a concise, transparent, intelligible form using clear and plain language. A privacy policy buried in legal jargon that no one could reasonably understand does not satisfy this obligation.

The Right of Access

Article 15 gives you the right to obtain a copy of all personal data an organisation holds about you, including your complete health records. This is called a Subject Access Request, or SAR. Organisations must respond within one calendar month and cannot charge a fee in most cases. The right of access to health records in the EU and UK is considerably broader in practice than the equivalent rights in other jurisdictions. Understanding how to access your medical records is the first step in exercising meaningful control over your health data.

The Right to Rectification

Article 16 gives you the right to have inaccurate personal data corrected without undue delay. In the health context, this is critically important. An incorrect diagnosis, a medication listed that you have never taken, or an allergy flag that should have been removed years ago can all have serious clinical consequences. You can request correction of any factual inaccuracy, and where the record is a matter of clinical opinion rather than verifiable fact, you can request that your disagreement be noted alongside the record.

The Right to Erasure

Article 17, the so-called right to be forgotten, allows you to request deletion of your health data in certain circumstances — for example where consent is withdrawn, where the data is no longer necessary for the purpose it was collected, or where it has been unlawfully processed. However, this right has significant exceptions in the healthcare context. Statutory retention requirements, public health obligations, and the need to establish or defend legal claims can all override a deletion request. Even when deletion is refused, you retain the right to restrict processing, meaning the data can be stored but not actively used.

The Right to Data Portability

Article 20 gives you the right to receive your health data in a structured, commonly used, machine-readable format, and to transmit it to another controller. This right applies where processing is based on your consent or on a contract, and where it is carried out by automated means. In practice, this supports the emerging vision of decentralised health data ownership, where you hold your own health records and share them selectively with providers. Interoperability standards like HL7 FHIR are increasingly used to fulfil portability requests in digital health contexts.

Consent Under GDPR: What It Actually Means for Health Data

Explicit Consent is the Gold Standard — But It Must Be Real

For health data, GDPR requires explicit consent — a higher standard than the ordinary consent required for non-sensitive personal data. Explicit consent means a clear affirmative act, freely given, specific to the purpose, informed, and unambiguous. A pre-ticked box does not constitute consent. Consent bundled inside terms and conditions does not qualify. Consent given as a condition of receiving a service that does not genuinely require the processing is not freely given and is therefore invalid.

Critically, you have the right to withdraw consent at any time, and withdrawal must be as easy as giving it. If an app allowed you to consent to health data processing with a single tap, you must be able to withdraw that consent just as easily. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew, but it prevents any further processing on that basis from that point forward.

Research and Secondary Use: When Your Data Can Be Used Without New Consent

One of the more complex areas of GDPR concerns the secondary use of health data for research. GDPR Article 9(2)(j) permits processing of health data for scientific research purposes without requiring consent from each individual, provided that appropriate safeguards are in place, that the research could not reasonably be fulfilled with anonymised data, and that it serves a genuine public interest. This is how large-scale medical databases, cohort studies, and AI training datasets can legally use patient data. However, your right to object under Article 21 still applies — you can object to your data being used for research purposes, and the organisation must cease unless they can demonstrate compelling legitimate grounds that override your interests.

The rise of federated learning in healthcare represents one technical approach to reconciling research value with privacy: models are trained on data that never leaves the clinical environment, avoiding the need to aggregate sensitive records in a central repository. Understanding whether your healthcare provider uses such approaches is a legitimate question you can ask as part of your right to be informed.

How to Exercise Your Rights: A Practical Guide

Making a Subject Access Request

To make a Subject Access Request, you do not need to use any particular form or cite specific articles of GDPR. You simply need to make clear that you are requesting a copy of personal data held about you, and identify yourself sufficiently for the organisation to locate your records. Send your request in writing — email is fine — to the organisation's Data Protection Officer (DPO) if they have one, or to a general contact address if not. Keep a copy of your request and note the date you sent it: the one-month clock starts from when the organisation receives it.

The organisation can ask you to verify your identity before providing the data — this is a legitimate safeguard, not an obstruction. They can also ask for clarification about what data you are seeking if your request covers a very broad range. What they cannot do is charge you a fee in most circumstances, demand that you fill out a specific proprietary form as a condition of processing your request, or simply ignore you. If they fail to respond within one month without explanation, that is a breach you can report to the supervisory authority.

Contacting the Data Protection Officer

Any hospital, health insurer, large GP practice, pharmaceutical company, or health technology platform is likely required by GDPR to appoint a Data Protection Officer. The DPO's contact details must be publicly available. The DPO is your primary point of contact for exercising GDPR rights, raising concerns about data handling, and requesting information about processing activities. They are bound by professional secrecy and cannot be dismissed for doing their job properly — making them a more reliable escalation point than a general customer service department.

Escalating to the Supervisory Authority

If an organisation refuses your request, fails to respond, or otherwise violates your rights, you have the right under Article 77 to lodge a complaint with a data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO). Each EU member state has its own authority: the CNIL in France, the BfDI in Germany, the DPC in Ireland, and so on. You can generally complain to the supervisory authority in the country where you live, work, or where the alleged infringement took place. Supervisory authorities have significant investigatory and enforcement powers, including the ability to issue fines of up to €20 million or 4% of global annual turnover — whichever is higher — for the most serious infringements.

UK GDPR After Brexit: What Changed

Substantive Continuity, Diverging Enforcement

When the UK left the EU's GDPR framework at the end of the Brexit transition period, the UK GDPR came into effect. At the level of individual rights, the UK GDPR is substantively identical to EU GDPR for health data. The eight rights described above apply in full. The special category status of health data is preserved. The lawful basis requirements are the same. The key difference is in the enforcement landscape: the UK's ICO operates independently of EU supervisory authorities, and the two regimes can diverge in their interpretations over time.

One area of practical difference concerns international data transfers. After Brexit, the EU issued an adequacy decision for the UK, allowing personal data to flow from the EU to the UK without additional safeguards. However, this adequacy decision is subject to periodic review and could be withdrawn if the UK's data protection framework diverges significantly from EU standards. For UK residents, this has implications for the security of health data held by organisations that operate across the EU and UK: they must now navigate two parallel regulatory frameworks and ensure that data transferred between jurisdictions remains adequately protected.

Health Data Breaches: Your Rights When Things Go Wrong

The Notification Obligation

GDPR Article 33 requires organisations to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it, if the breach is likely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in a high risk, Article 34 additionally requires organisations to notify you as an affected individual without undue delay. The ongoing health data breach epidemic has made these provisions increasingly relevant: healthcare is now the most breached sector globally by number of records exposed.

A high-risk breach in the health context is one that could lead to discrimination, identity theft, financial loss, damage to reputation, or other significant social or economic disadvantage. Given the sensitivity of health data, most breaches involving medical records will qualify as high risk. If you believe your health data has been compromised and you have not received notification, you have every right to contact the organisation and ask whether a breach has occurred and whether you are affected.

Seeking Compensation

GDPR Article 82 gives you the right to receive compensation from any controller or processor that has infringed the regulation and caused you damage, including non-material damage such as distress. This is a direct right of action that you can pursue through the courts independently of any regulatory enforcement action. In the UK, you can bring a claim in the civil courts. Class actions on behalf of groups of affected individuals are also possible, and a number of significant class actions involving health data breaches have proceeded in both EU and UK courts since GDPR came into force. The concern about medical identity theft following a breach is well-founded — this type of fraud can affect your insurance, your credit, and your clinical care simultaneously.

AI, Digital Health Platforms, and GDPR Compliance

The New Frontier of Health Data Processing

The rapid expansion of AI-powered health tools — from symptom checkers and diagnostic assistants to wearable analytics and personalised treatment recommendation engines — has created a new category of health data processor that did not exist when GDPR was drafted. These platforms collect data at a scale and granularity that traditional healthcare providers never approached. A continuous glucose monitor, a sleep tracker, a mental health journalling app, and a genetic analysis platform might each individually seem innocuous, but the aggregate picture they create of your physiology, psychology, and genetics is extraordinarily detailed.

GDPR applies to all of these platforms when they process the data of EU or UK residents, regardless of whether they are regulated as medical devices. The special category protections for health data apply equally to a consumer wellness app and a hospital information system. If a platform's business model involves monetising your health data in ways you have not explicitly consented to, that is a GDPR violation you can report and challenge. And if that platform makes automated decisions about your health recommendations without meaningful human oversight, your Article 22 rights apply.

Data Protection Impact Assessments

GDPR Article 35 requires organisations to carry out a Data Protection Impact Assessment (DPIA) before beginning any processing that is likely to result in a high risk to the rights of individuals. Processing health data on a large scale almost always triggers this requirement. A DPIA must describe the processing, assess its necessity and proportionality, identify and minimise risks, and consult the supervisory authority where residual risks remain high. As a patient or user, you can ask any healthcare organisation or health technology platform whether they have carried out a DPIA for the processing activity that concerns you. If they have not, they are likely in breach of Article 35 — a compliance failure that a supervisory authority would treat seriously.

The question of who legally owns your medical records is distinct from but closely related to your GDPR rights. GDPR does not transfer ownership of data in a legal property sense — it grants you control rights over how data about you is processed. But those control rights are extensive and practically powerful, and exercising them is the most direct way to ensure that organisations handling your health information are doing so on terms that you have actually agreed to.