GDPR and Personalized Nutrition Apps

Inserting food into a nutrition app is a part of a dieting routine for many people. It is convenient, it counts our calorie-intake and prompts us to form healthy eating habits. Also, it collects some data about us.

How does GDPR apply to a personalized nutrition app?

Basically, GDPR should be applied to a personalized nutrition app as quite to any other app with different purpose. They all must meet all the basic requirements, which are the principles under Article 5 (lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality and accountability), Privacy by Design and Default principles and others.

Is there, nevertheless, anything that makes personal nutrition apps different?

Well, there is. These apps collect a lot of special kind of information about their users -nutrition information. Mainly, this is data about food for main courses, drinks, snacks, cheat-meals and so on. A person inserts a kind of food he/she has had and its amount and the app counts calories in it. Some of the apps even have API-connections with other health apps, such as “movement-tracking” apps to compare calories in-taken and burned during exercises.

Sounds nice, isn`t it?

However, the main question that arises now is, 

Should the nutrition data be treated as sensitive data under GDPR?

Generally, it should not. However, we should take a look at it closer and more detailed.

Let`s review what data GDPR does consider sensitive, these are:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health;
  • data concerning a natural person’s sex life or sexual orientation.

At the first sight, it might be confusing, why shouldn`t we categorize nutrition data as data concerning health, right? These categories look very familiar.

There is no doubt that nutrition is a great factor of staying healthy. Still, under GDPR health data shall be understood as a narrower category, leaving nutrition far beyond:

“Data concerning health is personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.

In general, food that we eat does not speak about our bodies, neither does our calories count. These data on their own cannot refer to the physical or mental health of a natural person.

So… is personal data never sensitive?

Some categories a nutrition app can possibly process will belong to the category of data concerning health. These are:

  • data concerning height, weight, level of person`s physical activity and so on, so the app processes the whole “physical portrait” of a data subject;
  • data concerning person`s allergies;
  • data concerning person`s medication or drug intake, including biologically active additives and vitamins, regardless whether they were prescribed by a doctor or not;
  • data concerning any special dieting due to person`s health etc.

Such data, if it is processed by a nutrition app, has to be treated as sensitive in all cases, which means that processing of it is prohibited, unless you meet one of the requirements under Article 9. The most applicable of all these exceptions as for an app is explicit consent to the processing of those personal data for one or more specified purposes.

Anything else to pay attention to?

While doing the research for this article, we have been founding some applications that claim they give its users advises on health and dieting basing on user`s information. Note that such processing can be assumed profiling, namely,

“automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her”.

To sum things up

Generally, we can divide personalized nutrition apps into 3 groups:

  1. those that process regular personal data, such as names, e-mails, birth date and other;
  2. those that process data concerning health and should treat it as sensitive data due to GDPR;
  3. those that use automated processing of personal data, analyzing and predicting data subject`s health aspects.

    Your question to IT lawyers