GDPR and Health Data: A Strict Framework
Health data is classified as "sensitive data" by GDPR (Article 9). Their processing is subject to particularly strict rules. As a doctor, your website potentially collects health data — and you are responsible for their protection.
GDPR Obligations for a Medical Website
1. Mandatory Legal Notices
Your site must display:
Publisher identity (you or your company)
Contact details
Website host
Medical registration number
2. Privacy Policy
Detailed document explaining:
What data is collected
Why it's collected (purposes)
How long it's retained
Patient rights (access, rectification, deletion)
Data recipients
3. Contact Forms
Each form must include:
An explicit consent checkbox (not pre-checked)
A link to the privacy policy
Statement of processing purpose
Data collected (minimum necessary)
4. Cookies and Trackers
Strictly necessary cookies: no consent required
Analytics cookies (Google Analytics): consent mandatory
Advertising cookies: consent mandatory
Compliant cookie banner with refusal as easy as acceptance
5. HDS Hosting
If your site collects or processes health data (even indirectly through a form mentioning pathologies), hosting must be HDS certified (Health Data Hosting).
Common Mistakes
Google Analytics without consent: possible fine up to 4% of revenue
Form without consent: illegal data collection
No privacy policy: serious breach
Non-HDS hosting: legal risk if health data present
No SSL/HTTPS: data transmitted in plain text
Penalties
Supervisory authorities can impose:
Warning for first offenses
Formal notice with correction deadline
Fine up to €20 million or 4% of annual revenue
Suspension of data processing
Our Compliance Commitment
At Elysium MedTech, GDPR compliance is native in all our sites:
Customized privacy policy
Compliant forms with explicit consent
Technical cookies only (no trackers)
Secure HDS-compatible hosting
SSL certificate included