To date, several studies have investigated the interaction between data protection law and healthcare. According to the article 4 of the General Data Protection Regulation (GDPR), “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status. Because of its sensitive nature, health data requires an elevated level of protection.


Nowadays public authorities and private companies are using health record systems and e-health mobile applications to process data subject’s health-related information. In the European Union, according to the GDPR, these data must be protected from unauthorized access to safeguard the privacy and the security of the individuals.


The article 25 of the GDPR states that, both at the time of the determination of the means for processing and at the time of the processing itself, the controller shall implement appropriate technical and organizational measures which are designed to implement data protection principles effectively and to integrate the necessary safeguards into the processing. The goals are to meet the requirements of the law and to protect the rights of data subjects. The measures are defined by the data controller considering the state of the art, the cost of implementation and the nature, scope, context and purposes of the data processing as well as the risks for rights and freedoms posed by the processing. This principle on “data protection by design” is defined in a broad term. What healthcare organizations should know about the GDPR and how could they implement a privacy by design approach is not clear.


Researchers at the University of Luxembourg, in collaboration with CIRSFID of the University of Bologna, are attempting to evaluate the impact of this Regulation to the healthcare sector and to explore the implementation of the principle of privacy by design in the healthcare context. Most studies in this field have only focused on legal or technical concerns. However, the methodological approach taken in the research is a mixed methodology based on legal analysis, legal comparison and interdisciplinary perspective.

Main contributor(s): Giorgia Bincoletto