Cross-border health data

Third countries
If Anna were to seek medical attention outside the EU, for example if she would have found a specialist in the United States of America instead of Germany and her medical file would have been sent by her gynaecologist to his colleague in the USA, the provisions of Chapter V of the GDPR would apply. The aim of the GDPR is to offer a similar level of protection for EU citizens regardless of whether the data is being processed inside or outside the EU. It therefore applies to processing of data subjects who are in the EU by a controller or processor not established in the EU. This means that parties established outside the EU who offer goods or services to data subjects in the EU also need to comply with the GDPR (Article 3 (2, a)).Outside medical context
This is however not the only way in which data can be transferred abroad. Health data can also be transferred abroad outside the medical context. For example in a research context, which will be discussed later this week, but also by using modern technologies. Technology transformed both the economy and social life. People increasingly make personal information available publicly and globally by using apps and online services. Due to the very nature of modern technologies, data is not necessarily bound by country or EU borders. Data can be located, stored and processed anywhere in the world by parties who offer goods and services to data subjects in the EU, such as app companies, online services and social media. Also in this regard, the GDPR aims to ensure a high level of the protection.This means that, regardless of the context in which health data is being processed, the GDPR applies to the processing of data subjects who are in the EU. The GDPR determines that transfer of data which are being processed or which are intended to be processed after transfer to a third country (meaning, outside the EU) can only take place if the conditions mentioned in Chapter V are complied with by the controller or processor (Article 44). In order to ensure a similar level of protection, transfer to third countries can take place in several ways:- Based on an adequacy decision by the European Commission who decides whether a third country ensures an adequate level of protection (Article 45);
- If there is no adequacy decision, based on the condition that appropriate safeguards are provided and enforceable data subject rights and effective legal remedies are available (Article 46);
- If there is no adequacy decision and there are no safeguards put in place, based on one of the conditions mentioned in Article 49, including explicit consent to the proposed transfer by the data subject.
Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Our purpose is to transform access to education.
We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.
We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.
Learn more about how FutureLearn is transforming access to education