The General Data Protection Regulation (GDPR) is a European regulation that aims to protect the rights of persons regarding the processing of personal data. It covers the processing of personal data of people in European Union, even when the data is stored or processed elsewhere (Art. 3(1) GDPR). The GDPR determines several principles for data processing. Most importantly, the processing of personal data should be lawful, fair and transparent, the purpose for collecting data should be legitimate, specific and explicit, and the amount of data should be kept to a minimum and be accurate. (Chapter 2 Article 5)
Although the right to data protection is considered to be a fundamental right, this right is not absolute. This means that the rights of the person whose data is being processed (data subject) can be balanced against other rights, including the rights of the party that stores or uses the data.
For mHealth, article 9 of the GDPR is particularly relevant: this article establishes that processing of health related data, as one of several special categories of personal data, is in principle prohibited unless certain conditions apply. Health data are defined rather broadly in Recital 35 of the GDPR: “Personal health data should include any data relating to the health status of a data subject which reveals information about the past, present and future physical or mental health status of the data subject.” The processing of such data is permissible only if the individual has consented to such processing “for one or more specified purposes”(Chapter 2 Article 9 (2)).