You've probably seen the phrase "GDPR compliant" on websites. It appears next to cookie banners and data policies. But for health data specifically, compliance with GDPR means something more substantive — and checking whether a service actually meets it is worth understanding.

Article 9 in plain language

GDPR Article 9 establishes that certain categories of personal data are so sensitive that they cannot be processed at all unless a specific, explicit exception applies. Health data — defined as "personal data related to the physical or mental health of a natural person" — is one of those categories.

The default is prohibition. Processing can only happen if one of a limited set of conditions is met. For health services used by individuals, the most relevant condition is explicit consent under Article 9(2)(a): the person has explicitly and voluntarily consented to the processing for specific, named purposes.

What "explicit" consent actually requires

Regular consent under GDPR can be implied from behaviour. Explicit consent, required for special categories, cannot be. It must be:

- Specific: "We will process your biomarker results to generate your personal dashboard" — not "We may use your data for various health purposes" - Informed: the person must have understood what they were agreeing to before agreeing - Freely given: no bundling consent with access to a service; no pre-ticked boxes; genuine choice - Unambiguous: a clear affirmative act — not silence, not scrolling past a terms page

And crucially: consent can be withdrawn at any time, and withdrawal must be as easy as giving it.

The Data Protection Officer requirement

Under GDPR, organisations that process health data at scale are required to appoint a Data Protection Officer (DPO) — a designated person responsible for ensuring compliance, advising on data protection issues, and acting as a contact point for the supervisory authority (the national data protection regulator).

If a health service processes your biomarker or genetic data and cannot tell you who their DPO is or how to contact them, that's a compliance gap.

Data Protection Impact Assessments

When processing is likely to result in a high risk to individuals — which health data processing almost always qualifies as — organisations must carry out a Data Protection Impact Assessment (DPIA) before beginning. A DPIA documents what data is being processed, why, what risks exist, and what mitigations are in place.

It's not a public document, but you can ask whether one exists.

How to evaluate a health data service

A service that takes GDPR Article 9 seriously should be able to answer all of the following clearly:

1. What legal basis are you relying on to process my health data? 2. What specific purposes will my data be processed for? 3. Where is my data stored, and in which jurisdiction? 4. How do I exercise my right of access, right to erasure, and right to portability? 5. Who is your Data Protection Officer? 6. Have you conducted a DPIA for this service?

If any of these questions produces vague answers, pre-written reassurances, or deflection — that's informative.

At foreverbetter, we collect explicit consent for each processing activity before it begins. Our privacy policy names the specific legal bases for each use. Data is stored within the EU. Export and deletion are available from your dashboard without a support request.