As biotech and healthtech companies scale across borders, they face a central challenge: how to lawfully collect, store, and use sensitive health and genetic data from European citizens.

Sekurno regularly helps companies navigate this complexity, including GDPR audits by global Big Four firms like KPMG. This gives us firsthand insight into how technical and organizational measures are assessed and what strong implementation looks like in practice.

This guide is designed for biotech & healthech teams handling sensitive data such as genomic sequences, health records, and clinical trial outputs. It covers the essential components of GDPR alignment — including data classification, legal bases, DPIAs, access rights, security controls, and international transfers.

Under the General Data Protection Regulation (GDPR), these data types are treated as “special category data” under Article 9, triggering higher thresholds for consent, lawful processing, and security safeguards.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s data privacy law, in effect since May 2018. It replaces the 1995 Data Protection Directive and introduces a unified legal framework for how organizations collect, process, store, and share personal data across all EU and EEA member states. [1]

The purpose of the GDPR is to protect individuals’ privacy rights while enabling the safe and lawful movement of personal data across European borders — a balance that underpins global research, digital services, and biotech innovation. [2]

The regulation defines:

• The rights of individuals over their data

• The legal responsibilities of data-handling organizations

• How compliance must be documented and enforced

• The consequences of non-compliance — including fines up to €20 million or 4% of global annual revenue [3]

For biotech and healthtech companies, GDPR sets the legal foundation for handling high-risk data types, including health records, genetic sequences, biometric identifiers, and clinical research outputs. From early-stage startups to global labs, GDPR compliance is the first critical step for entering or expanding within the European market. [4]

Who Must Comply with GDPR?

Whether you're operating from within Europe or serving European customers from abroad, the GDPR likely applies to your business, especially if you process sensitive data.

Businesses Based in the EEA

All organizations with operations in the European Economic Area (EEA) — including the 27 EU member states plus Iceland, Liechtenstein, and Norway — must fully comply with GDPR. This includes:

• Biotech companies conducting genomic research

• Digital health platforms offering diagnostics or coaching

• Clinical labs and CROs processing patient or research participant data

Businesses Based Outside the EEA

GDPR also applies to non-European organizations if they:

• Offer products or services to EU/EEA residents (even free tools like wellness quizzes or DNA reports)

• Monitor user behavior of EU/EEA residents (e.g., via tracking pixels, cookies, or usage analytics)

• Process data on behalf of an EU-based partner (as a service provider)

• Employ staff based in the EU (whose personal data is protected under GDPR) [5]

What Biotech & Healthtech Must Protect Under GDPR

Biotech and healthtech companies work with some of the most sensitive and regulated data types in existence — data that, if mismanaged, can erode patient trust, trigger regulatory action, or derail product approvals.

Under the GDPR, biotech data typically falls into two key categories, each requiring tailored safeguards:

🧬 Personal Data — includes any information that can directly or indirectly identify an individual, from contact details and device IDs to participant codes or clinical metadata. In healthtech, this often extends to mobile health app users, wearables, or digital diagnostics platforms, where seemingly harmless identifiers can become sensitive when linked to health-related data. [6]

🧬 Special Categories of Personal Data - this is high-risk personal data that demands the strictest level of protection. It includes genetic, biometric, or health information — all of which require explicit consent, legal basis, and extra security controls under the GDPR. Whether you’re sequencing DNA, running an AI diagnostic model, or offering period tracking and wellness insights, you're likely processing special category data. [7]

Examples of Personal Data:

• Participant or donor names and initials

• Emails, phone numbers, or other recruitment data

• Users’ IP addresses

• Researcher contact info and credentials

• Study/sample identifiers that could be re-linked to individuals

Examples of Special Category Data:

• Genetic information (e.g., DNA, risk scores, sequencing data)

• Health records (e.g. diagnostics, lab test results, symptom logs)

• Biometric identifiers (e.g., facial scans, retina patterns)

• Ethnic or racial background (used in population studies or ancestry apps)

• Sexual health data (e.g., fertility tracking, hormone therapy)

⚠️ Don’t assume pseudonymized data is exempt. Even if direct identifiers are removed, genetic or clinical data is often still traceable, particularly in rare disease research. Unless fully anonymized (which is difficult to achieve), it remains regulated under GDPR. Biotech firms must treat this data with the same care and controls as any identifiable personal information.

The 7 GDPR Principles Biotech & Healthtech Companies Must Follow

At the heart of the GDPR lies a set of seven guiding principles — your blueprint for building a data strategy that’s not just compliant, but trustworthy and resilient.

These principles don’t just apply to IT or legal teams — they shape how your entire organization collects, processes, and protects personal data across research, operations, and digital platforms.

• Lawfulness, Fairness & Transparency → Process data openly and on a valid legal basis.

• Purpose Limitation → Use data only for the reasons you’ve specified.

• Data Minimisation → Collect only what you truly need.

• Accuracy → Keep information correct and up to date.

• Storage Limitation → Hold data only as long as necessary.

• Integrity & Confidentiality → Protect data against loss, damage or unauthorized access.

• Accountability → Document your measures and be ready to demonstrate compliance. [8]

  
  

Rights of Data Subjects: What You Must Enable

A cornerstone of GDPR compliance is empowering individuals to control their personal data, especially critical in biotech and healthcare, where health and genetic data carry exceptional privacy risks. These rights are not optional: if your organization collects or processes EU personal data, you must be able to honor and operationalize the full range of Data Subject Rights.

The Core Rights under GDPR

⚠️ Scientific Research Exceptions

Under Article 89 GDPR, certain Data Subject Rights — such as the Right to Erasure, Right to Restrict Processing, Right to Object, and Right to Data Portability — may be limited when personal data is processed for scientific research purposes, provided that exercising these rights would seriously impair the research and that appropriate safeguards (e.g., pseudonymisation) are in place, as allowed by EU or Member State law. [9], ****[10]

Choosing the Right Legal Basis

To lawfully process personal data under the GDPR, your biotech or healthtech company must identify a valid legal basis under Article 6, and, if processing special category data (like genetic or health information), an additional condition under Article 9.

Common Legal Bases in Biotech & Healthtech

• Consent: Often used for participant enrollment, direct-to-consumer services, genetics platforms, or fertility tracking apps. Must be freely given, informed, specific, and explicit when processing special category data like DNA or biometric scans [11]

• Scientific Research in the Public Interest: Applies to clinical trials, population studies, and biobank research under EU or Member State law. Requires a valid Article 9 condition and appropriate safeguards, such as pseudonymisation and ethics approval.

• Legitimate Interest: May be valid for low-risk internal processing like product analytics, platform testing, or user recruitment. You must conduct a balancing test to ensure individuals’ rights are not overridden. For special category data, an Article 9 condition (typically explicit consent or public interest) is still required.

When processing involves high risk — such as handling genetic data or using AI for health scoring — a Data Protection Impact Assessment (DPIA) should be conducted. It helps confirm the legal basis, evaluate risks to individuals, and design appropriate safeguards. [12]

Controllers vs Processors: Clarifying Your Role Under GDPR

In biotech and healthtech, understanding whether you're a controller, processor, or joint controller isn’t just a legal formality — it defines your responsibilities under the General Data Protection Regulation (GDPR). Whether you're running clinical trials, managing digital diagnostics, or analyzing patient genomes in the cloud, your obligations depend on who decides the “why” and “how” of data processing.

Are You a Data Controller?

A data controller (controller) is the entity that determines the purpose and means of processing personal data — in other words, the “why” and the “how.”

This applies to most biotech sponsors, digital health platforms, research institutions, and diagnostic labs that initiate data collection or define analysis parameters.

As a controller, you are responsible for complying with all GDPR obligations, including:

• Establishing a valid legal basis for processing

• Enabling and fulfilling data subject rights

• Conducting Data Protection Impact Assessments (DPIAs)

• Ensuring data security throughout the lifecycle

• Implementing data protection by design and by default

• Maintaining documentation of processing activities

• Demonstrating compliance to supervisory authorities

Are You a Data Processor?

A data processor (processor) acts on personal data only on documented instructions from the controller, without determining the purpose or essential means of processing.

Common biotech examples include CROs, cloud labs, or bioinformatics vendors analyzing data sets provided by a sponsor or trial coordinator.

Processors have specific GDPR obligations, including:

• Processing only on documented instructions from the controller

• Implementing appropriate technical and organizational measures

• Assisting controllers with data subject requests and DPIAs

• Notifying controllers without undue delay in the event of a breach

• Keeping records of all processing activities on behalf of the controller [13]

❗A clear Data Processing Agreement (DPA) is mandatory whenever a processor is involved, and should outline roles, responsibilities, security standards, and data handling protocols.

What About Joint Controllership?

Sometimes, two or more organizations jointly determine the purpose and means of data processing — this is known as Joint Controllership under Article 26 GDPR [14].

Example: A biotech sponsor partners with a university hospital on a genomic research project. Both define how the data is collected, analyzed, and published, making them joint controllers.

In such cases:

• Both parties share responsibility for GDPR compliance

• They must have a transparent agreement outlining roles and contact points

• Data subjects must be clearly informed of each party’s responsibilities

For more detailed guidance, refer to the EDPB Guidelines on the concepts of controller and processor in the GDPR. [15]

Do You Need a Data Protection Officer?

Under Article 37(1) GDPR, a DPO becomes mandatory if your organization meets any of the following criteria:

• You’re a public authority or a publicly funded research body.

• Your core operations involve large-scale, regular, and systematic monitoring — for example, wearable-device studies or multi-year patient tracking.

• You process large volumes of special category data, such as genetic profiles, health records, clinical trial outputs, or biobank samples.

Your DPO must:

• Operate independently, without conflicts of interest

• Possess expert knowledge of GDPR, healthcare data protection, and research ethics

• Report to senior management and provide ongoing advice and monitoring [16]

Appointing a DPO ensures your privacy program has expert-level oversight — from consent design and data architecture to incident response and regulatory engagement. For biotech and healthtech firms managing cross-border research or digital health solutions, this is a cornerstone of sustainable compliance and market trust.

For more detailed guidance, refer to the Guidelines on Data Protection Officers (DPOs) [17]

What Happens If There’s a Breach?

When a personal data breach could impact an individual’s rights or freedoms — such as identity theft, health discrimination, or unauthorized access to genetic data — biotech and healthtech data controllers must act fast under GDPR Articles 33 and 34. [18], [19]

• Notify the Data Protection Authority (DPA): Without undue delay, and no later than 72 hours after becoming aware of the breach.

• Inform affected individuals: Only when the breach poses a high risk, such as exposure of health or genetic data, identity theft, or discrimination.

• Maintain a breach record: Document the facts, impact, and remedial actions taken for every personal data breach.

Processors must notify controllers immediately. If you process data on behalf of another entity (e.g., as a CRO, lab, or platform provider), you are required to alert the controller without delay, so they can evaluate next steps and fulfill notification duties.

For detailed examples — including ransomware attacks, insider mishandling, and cloud misconfigurations — refer to the EDPB Guidelines on Examples Regarding Data Breach Notification. [20]

What Cybersecurity Measures Must be Implemented under GDPR Article 32

Under Article 32 GDPR, both controllers and processors are required to implement appropriate technical and organisational measures (TOMs) to safeguard personal data — no exceptions. [21]

The GDPR doesn’t mandate specific technologies but requires “appropriate” measures based on:

• The state of the art

• Implementation cost

• Nature, scope, context, and purposes of processing

• Risks to individuals’ rights and freedoms

Key Security Measures:

• Pseudonymisation & Encryption: Encrypt data at rest and in transit; pseudonymise identifiers and isolate mapping keys.

• Access Controls: Role‑based permissions, unique user IDs, multi‑factor authentication, and automatic session timeouts.

• Endpoint Security: Firewalls, IDS/IPS, secure configurations, and anti‑malware on lab and office systems.

• Integrity Controls: Version‑control policies to prevent improper alteration or destruction of data.

• Availability & Recovery: Automated off‑site/immutable backups, disaster‑recovery plans, and redundant infrastructure for failover.

• Audit & Monitoring Controls: Security audits, vulnerability scans, penetration tests, and SIEM alerting for rapid incident detection.

💡 While not GDPR-specific, ISO 27001:2022 is often recommended by regulators and clients as a structured framework to meet Article 32’s TOMs requirements.

Cross‑Border Transfers: GDPR Requirements

Biotech and healthtech companies often operate across jurisdictions — running clinical trials in Europe, storing data on U.S. cloud servers, and partnering with global research institutions. Under GDPR, personal data can't be freely transferred outside the EEA unless specific safeguards are in place.

You must use one of the following legal mechanisms:

• Adequacy Decisions: Transfer to countries the EU considers to have adequate data protection laws requires no additional safeguards

• Standard Contractual Clauses (SCCs): EU-approved legal terms embedded in contracts between data exporters and importers. SCCs commit both parties to GDPR-level privacy and security standards.

• Binding Corporate Rules (BCRs): Internal privacy frameworks adopted by multinational groups to legally transfer personal data within the same corporate family across borders.

• International Agreements: Frameworks such as the EU–U.S. Data Privacy Framework (DPF) — though subject to ongoing legal review — may also serve as lawful conduits when formally adopted.

When transferring data to the U.S. — including to CROs, cloud vendors, or sequencing platforms — using Standard Contractual Clauses (SCCs) supported by encryption and a Transfer Impact Assessment (TIA) is currently the safest route. [23]

For more information on transfer mechanisms, refer to EDPB Guidelines on Measures that Supplement Transfer Tools [24]

Getting Started with GDPR Compliance

Whether you're launching a new biotech venture or scaling operations across Europe, GDPR compliance should be built in from the ground up. Below are the key preparatory steps to help you implement GDPR in a structured, risk-based way:

1. Analyse Your Applicability: Confirm whether GDPR applies to your organization based on your services, data subjects, cross-border reach, and use of sensitive data.

2. Appoint a Qualified DPO: Assess whether a Data Protection Officer is legally required — or appoint one voluntarily to strengthen privacy oversight.

3. Inventory Personal & Sensitive Data: Identify all personal data you collect or handle, especially genetic and health data. Classify it by type, sensitivity, and where it’s stored or shared.

4. Map Data Flows: Chart how data moves across your systems and third parties — from collection and processing to transfer and deletion.

5. List Processing Activities: Draft a record of processing (ROPA): include data categories, legal bases, purposes, recipients, and retention periods.

6. Identify Your Role: Determine whether you act as a controller, processor, or joint controller for each activity — this defines your obligations.

7. Review Vendor Contracts: Collect all agreements involving personal data. Ensure they include GDPR-required clauses and valid Data Processing Agreements (DPAs).

   
   

Real-World GDPR Compliance in Action

To see how GDPR compliance works in practice, explore our in-depth case studies with RAKwireless and MGID. These engagements highlight how Sekurno helped companies navigate complex data protection requirements, delivering clear audit trails, remediation plans, and risk-based security controls aligned with GDPR expectations.

Need help navigating GDPR?

If your company handles sensitive health or genomic data, even small missteps can carry major risks.

Contact us today or explore our Cybersecurity Compliance Services.

About The Author & Sekurno

Kristina Romanenko is an Information Security Account Manager at Sekurno and a certified ISO/IEC 27001 Implementer (PECB). With over 6 years of experience in IT and cybersecurity, Kristina helps organizations confidently navigate regulatory frameworks such as GDPR, CCPA, HIPAA, and ISO 27001.  She supports clients in meeting compliance requirements, reducing risk exposure, and building long-term trust with customers and partners.

Sekurno is a globally recognised cybersecurity firm specializing in Penetration Testing, Application Security, and Cybersecurity Compliance. Our expert team can help you build a cybersecurity program that’s audit-ready from day one.

References

1. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

2. https://gdpr-info.eu/art-1-gdpr/

3. https://gdpr-info.eu/art-83-gdpr/

4. https://www.deloitte.com/uk/en/services/consulting/research/biotech-european-expansion.html

5. https://gdpr-info.eu/art-3-gdpr/

6. https://gdpr-info.eu/issues/personal-data/

7. https://gdpr-info.eu/art-9-gdpr/

8. https://gdpr-info.eu/chapter-2/

9. https://gdpr-info.eu/art-89-gdpr/

10. https://www.edpb.europa.eu/our-work-tools/our-documents/other-guidance/edpb-document-response-request-european-commission_en

11. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en

12. https://ec.europa.eu/newsroom/article29/items/611236/en

13. https://gdpr-info.eu/chapter-4/

14. https://gdpr-info.eu/art-26-gdpr/

15. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en

16. https://gdpr-info.eu/art-37-gdpr/

17. https://ec.europa.eu/newsroom/article29/items/612048/en

18. https://gdpr-info.eu/art-33-gdpr/

19. https://gdpr-info.eu/art-34-gdpr/

20. https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012021-examples-regarding-personal-data-breach_en

21. https://gdpr-info.eu/art-32-gdpr/

22. https://cms.law/en/deu/publication/gdpr-enforcement-tracker-report/life-science-healthcare

23. https://gdpr-info.eu/chapter-5/

24. https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en