Mobile Health Apps and GDPR. Tips for developers

The digitalization of everyday life influences directly our habits, diet, and diseases. Now with the help of new mobile apps everyone can track the number of calories consumed, create personalized nutrition plans, discover the ingredients, vitamins of the favourite food, measure his/her heart rate, pressure, control fitness achievement, health condition, and other aspects of life and make it much more convenient, but at the same time, these devices collect the enormous number of sensitive personal data.

What is a mobile health app

Mobile health app or mHealth app/application may be defined as the app collecting any personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status, including any recommendations concerning healthy diet and lifestyle. mHealth covers technologies that measure vital signs such as heart rate, blood glucose level, blood pressure, body temperature, and brain activities as well as physiological, lifestyle, daily activity, and environmental data.

For example, you are willing to lose some weight and the app needs to take into account your current health status including height, weight, probably some chronic diseases, number of physical activities, and diet habits. Based on the aforementioned data the app can advise some healthy diet and physical training or even visiting the doctor.

Although, if the app is designed just to help you track the number of steps as a way of measuring the users’ sports activities during a single walk without evaluating your physical fitness and health condition, nor it is combined with other data, the app does not process data concerning health, therefore it may not be regarded as mHealth app and does not require special treatment.

How mobile health apps are governed

mHealth programme was initiated by the European Commission in 2014 as a subdivision of the eHealth programme. The mHealth was created to help detect the development of chronic conditions at an early stage through self-assessment tools and to improve people’s quality of life and even extend life expectancy.

Despite the enormous amount of the mHealth apps functioning now and being in the process of development, there is no direct and specific legislation governing this particular issue.

The European Commission promoted the creation of the group on mHealth that developed the Green Paper on mobile health, the Privacy Code of Conduct for mHealth apps, Commission Staff Working Document on the existing EU legal framework applicable to lifestyle and wellbeing apps, and mHealth assessment guidelines.  All of the aforementioned documents are non-binding, they just establish the general principles and rules aimed at helping the developers of the mHealth app to create the safest and most convenient apps for the users. The only legally binding document governing mHealth apps is the EU General Data Protection Regulation (hereinafter referred to as the “GDPR“). The GDPR defines the conditions for using the medical data defining it as “sensitive” providing special treatment and protection.

What to remember while developing a health app

The developers aimed at creating a health app are to consider a variety of factors to avoid any fraud, misleading information, or data breach. The following 5 issues must be always taken into account, otherwise, the developers or owners of the app may face serious legal consequences.

Assess whether the app is not a medical device

The first question to be answered prior the developing whether the app has a medical purpose. The mHealth must not have a medical purpose, otherwise, it will be considered as a medical device.

It is crucial to establish the difference between the medical device and mHealth app because there are a number of technical requirements to the first one that sufficiently influences the cost of the device, time for its development, registration, and general control over it by the respective national authorities.

The following definition of medical device (including the software) is indicated in the Medical Devices Directives and provides an exhaustive list of its features.

“It is intended by the manufacturer to be used for human beings for:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease;
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
  • investigation, replacement or modification of the anatomy or of a physiological process, or
  • control of conception; and
  • does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, even if it is assisted in its function by such means,
  • includes devices intended to administer a medicinal product or which incorporate as an integral part a substance which, if used separately, would be a medicinal product and which is liable to act upon the body with action ancillary to that of the device.”

For example, the software is linked to a specific medicine (as an accessory) or it provides diagnosis, future risks of disease, or it intends to influence the actual treatment as a doze of the medicine or necessary time of treatment- the device shall be deemed medical.

If the software just reproduces a paper document in digital format, follows the path of the treatment without making any decisions, provides general information, or offers lifestyle treatment choices or referral advice as to consult the therapist- the software shall not be deemed as a medical device.

The difference is not always obvious and manifest, but the aforementioned criteria always apply and are a general route for the developers.

Ensure the rights of the data subject

When you have assessed your app and established that it does not a medical device, you may continue with its development. Prior to or as soon as the users install your app, you must obtain their free, specific, and informed consent in order to process their data for the purposes you have described. You should explain in details what piece of data you collect and the purposes for such collection together with the rights of the users. You have to ensure the right to access any personal data relating to the users that you have stored, the right to obtain corrections to their data if it is incorrect, to object to any further processing and to be forgotten, meaning to erase all the data relating to the users. Moreover, you should familiarize yourself with applicable laws governing the regulation of such sensitive data, namely the GDPR and respective legislation of the Member-States of the EU.


Be careful with the advertisements

In general, you may use the advertisements in the mHealth app taking into account the following points:

  • The use of advertisements must be clearly authorised by the user before the app is installed.
  • If the app uses contextual advertisements which are shown to the app user without sharing any personal data with any third party (such as an ad network) and without any processing of user’s data concerning health, then the user must be given the option to opt-out of the contextual advertising before any data processing takes place.
  • If the advertisements are provided by the third parties or the health data is processed to target the advertisements, you should obtain the prior opt-in consent in an explicit and separate way before the installation.

Moreover, you should consider the national laws governing online marketing and the EU Directive 2000/31/EC on electronic commerce, to fully comply with the requirements of a particular state if be needed.

How to use the health data as a “Big data”

With the view that health data is subject to special treatment and a number of limitations, its transformation into the Big data requires some efforts.

First of all, you need to establish for which purposes the Big data is needed. As was mentioned, you should obtain consent prior to the processing. If you process data for scientific and historical research or statistical purposes you do not have to obtain new consent from the user. Although, you should use the appropriate technical measures (e.g. pseudonymisation, anonymisation) to process the health data for such purposes.

Secondly, if the Big data collection needed for other than original or aforementioned purposes, as marketing, or to communicate it to the insurance companies, then a new prior consent should be obtained.

Moreover, the domestic legislation may impose additional limitations, thus, it is necessary to consult the national law of particular Member-State.


Restrictions for children’s use

If your app is designed for or may constitute interest for children, namely minors under 16, you should always obtain parental consent, otherwise you may be sufficiently fined under the GDPR. Although, in some EU states the minimum age is 13 or 14. Thus it is reasonable to check the domestic law of a particular state. Furthermore, if you even provide the function of obtaining consent from the parents, you should include in the app as many warnings as possible to prevent children from sharing any personal data of their relatives and/ or friends.


So, the sphere of mHealth apps is rapidly developing and a number of lifestyle and wellbeing apps have reached over 100 000 on the EU market. Despite such high numbers, the demand for them is not falling as people always want to improve and extend their life. Therefore, this field is going to be legally modified drastically in the near future, so it is better to be prepared- to comply with the GDPR and respective national laws as well as to consider the supporting guidelines and procedures.

    Your question to IT lawyers