TLDR:
A special category of sensitive personal data relating to physical or mental health, subject to heightened protection under GDPR and health privacy laws globally.
What is Health Data?
Health data encompasses medical conditions, treatments, prescriptions, disabilities, biometric health data, and health services received. Under GDPR Article 9, it requires explicit consent or another specific legal basis (such as vital interests, public health, or healthcare provision by a regulated professional).
Regulatory Framework
Beyond GDPR, health data is regulated by HIPAA in the United States, the PIPEDA/PHIPA framework in Canada, and a patchwork of national health information laws elsewhere. In Türkiye, KVKK treats health data as “special category” data with similar restrictions. Startups operating in digital health, telemedicine, or wellness must map their data flows carefully — including device telemetry, app analytics, and AI training data — because health-related inferences (e.g., menstrual tracking, mental wellbeing apps) frequently trigger the same heightened obligations as clinical records.
Practical Compliance Considerations
Practical safeguards include data minimization (collect only what is clinically necessary), encryption at rest and in transit, role-based access control, formal data processor agreements with cloud providers, breach response plans with regulator-notification timelines (72 hours under GDPR), and a documented lawful basis for each processing purpose.
References
- Turkish Law No. 6698 on the Protection of Personal Data (KVKK)
- Personal Data Protection Authority of Türkiye
- EU GDPR (Regulation 2016/679) — EUR-Lex
- U.S. Internal Revenue Service (IRS)
Health data, the strictest tier
Health data sits in KVKK’s special-category regime with a narrow lawful-basis menu: explicit consent, or processing by persons under a duty of confidentiality for defined health purposes — a structure that makes most non-clinical business models consent-dependent. Layered on top: the Health Ministry’s regulations on personal health records and the registration/standards regime for health-tech connecting to public systems (e-Nabız ecosystem), plus medical-device qualification questions when software diagnoses or treats. Cross-border transfer rules apply with full force, which shapes cloud architecture for health startups. The diligence shorthand for the sector: show the lawful-basis map per data flow, the explicit-consent UX, and the device-classification memo — those three files decide health-tech rounds.