Author: András Jóri

(15) ‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

I. Preliminary remarks

The definition of data concerning health is used by the GDPR in the context of Art. 9, banning the processing of certain (“special”) categories of data (see the commentary on Art. 9, mn. 11). Apart from Art. 4 No. 15, the term is only used in Art. 9 of the GDPR. As discussed in the commentary to Art. 4 No. 13 and Art. 4 No. 14, certain data concerning health might also qualify as genetic or biometric data (see → Art. 4 No. 13 mn. 5, → Art. 4 No. 14 mn. 1).

II. Legislative history

Similarly, to the GDPR, the DPD banned the processing of “data concerning health” in Art. 8; however, it did not define the term. According to the text of the Comm-P, data concerning health “means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual”. Remarkably, in its chapter on specific data processing situations, the Comm-P devoted a separate article to the processing of personal data concerning health. In the final text of the GDPR, the definition was changed to its present form (using “personal data”, instead of “information”, and setting out the further condition that such data shall “reveal” the “health status” of the data subject). The proposed separate article on processing of data concerning health was omitted, with its main provisions included into Art. 9.

III. Analysis

1. “Personal data related to the physical or mental health of a natural person, including the provision of health care services”

Data concerning health, as defined by the GDPR, are in all cases personal data. As such, they shall first be qualified as personal data according to the definition set out by Art. 4 No. 1 (→ mn. 8 et seq.).

In order to qualify as data concerning health, the data shall be related to the physical or mental health of a natural person. These data – according to recital 35 GDPR – include “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and any information on, e.g., a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, e.g. from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.”

In its 2015 paper, the Art. 29 WP analysed previous jurisprudence as well as the text of the proposal, which later became the GDPR, and already included the text of present recital 35 in an almost identical form. The Art. 29 WP stated that “[t]here is a category of information which is uniformly considered as health data. This is the category of medical data, the category of data about the physical or mental health status of a data subject that are generated in a professional, medical context. This includes all data related to contacts with individuals and their diagnosis and/or treatment by (professional) providers of health services, and any related information on diseases, disabilities, medical history and clinical treatment. This also includes any data generated by devices or apps, which are used in this context, irrespective of whether the devices are considered as ‘medical devices’”. The Art. 29 WP went on and – in the context of the DPD and in light of previous interpretations by “national legislators, judges and DPAs” gave a list of other data that shall be considered as data concerning health. These data are: “the fact that a woman has broken her leg (Lindqvist), that a person is wearing glasses or contact lenses, data about a person’s intellectual and emotional capacity (such as IQ), information about smoking and drinking habits, data on allergies disclosed to private entities (such as airlines) or to public bodies (such as schools); data on health conditions to be used in an emergency (e.g. information that a child taking part in a summer camp or similar event suffers from asthma); membership of an individual in a patient support group (e.g. cancer support group), Weight Watchers, Alcoholics Anonymous or other self-help and support groups with a health-related objective; and the mere mentioning of the fact that somebody is ill in an employment context are all data concerning the health of individual data subjects”.

[…]