GDPR and Health Data: What Every Hospital CIO Needs to Know in 2026

The essentials in 30 seconds

Introduction

A hospital that digitises its patient records handles, every single day, the most sensitive category of data under European law. Diagnoses, lab results, prescriptions, medical history: each falls under an exceptional legal regime. A single framing error exposes the institution to a regulatory fine and, more seriously, to a breach of patient trust.

The difficulty is that compliance does not stop at GDPR. In 2026, a hospital CIO must simultaneously align GDPR, HDS certification, the NIS2 directive and the arrival of the European Health Data Space. These frameworks overlap without fully matching, and final liability rests with the institution, not its vendors.

Galeon was built on exactly this observation. Deployed across 19 partner hospitals, including two university hospitals, with more than 3 million patient records and several thousand caregivers, the platform rests on one principle: data never leaves the hospital's servers. This is what reconciles AI exploitation with medical confidentiality.

This article clarifies what health data legally is, how to process it lawfully, and what it concretely means for an institution and for a HealthTech investor.

What is health data under GDPR?

Health data is any personal data relating to a person's physical or mental health, including the provision of care, that reveals information about their health status. Article 4(15) of the GDPR sets this definition in deliberately broad terms.

In practice, the perimeter extends well beyond the medical record in the strict sense. A CRM containing a "food allergies" field processes health data, and an app recording steps for an internal sports challenge does too. For a hospital, this means a multitude of seemingly innocuous fields fall under the reinforced regime.

Why has the perimeter widened in 2026?

Because digital tools now generate data that allows a health status to be inferred. With the spread of intelligent EHRs and medical AI, behavioural data, consultation metadata and software usage traces can constitute health data in their own right.

Health data is therefore no longer only what the physician writes. It is also what the system infers. A CIO must map these derived data, often invisible in conventional audits.

Is processing health data permitted under GDPR?

Processing health data is prohibited by default, and this prohibition can only be lifted by a legal exception. This is set out in Article 9 of the GDPR and Article 6 of the French Data Protection Act.

Article 9 of the GDPR is among the most protective provisions of the regulation. Health data forms a particularly broad category, and it is the context in which the data is processed that determines its classification.

What is the "double lock" system?

The double lock requires combining two distinct legal grounds to lawfully process health data. The Article 9.2 exceptions are cumulative with an Article 6 legal basis: you do not choose between the two, you need both.

In practice, a hospital processing a patient record must identify:

• A legal basis under Article 6 (public interest task, performance of a care contract, etc.).
• An exception under Article 9, most often processing by a health professional bound by confidentiality. Article 9.2.h covers precisely this case.

What reinforced obligations apply?

Any large-scale processing of health data triggers additional obligations. A data protection impact assessment (DPIA) is presumed mandatory, and appointing a data protection officer (DPO) is often mandatory. For a hospital, the DPIA and DPO are therefore not optional.

GDPR or HDS: what is the difference for a hospital?

GDPR governs data processing, HDS certification governs data hosting: they are complementary frameworks, never alternatives. The French legislator considered that health data warranted additional, more prescriptive technical rules on hosting, layered on top of the GDPR's general obligations.

The most common mistake is assuming an HDS-certified vendor is automatically GDPR-compliant. It is not, and the reverse is equally true. Both must be verified separately.

What HDS certification covers

HDS certification is a French legal obligation. Article L. 1111-8 of the French Public Health Code requires that any hosting of personal health data on behalf of a third party be carried out by a certified host. It builds on an international standard: since May 2024, the HDS framework has been aligned with the ISO 27001:2022 standard.

The certification-scope trap

An HDS certification can be partial. A host can be certified on activities 1 and 2 only, without covering the software layers where your EHR actually sits. Before signing, a CIO must demand the detailed certificate specifying the exact scope of covered activities.

Comparison table: traditional approach vs Galeon approach

Data never leaves the hospital's servers. This is the founding principle of Galeon's Blockchain Swarm Learning®, and it is also what turns a regulatory constraint into a structural advantage.

The benefit for the hospital CIO

For a CIO, the challenge is not merely ticking compliance boxes. It is reducing the risk surface while opening access to medical AI. An architecture where data does not leave meets both goals at once.

It also simplifies regulatory mapping: fewer transfers means fewer control points, fewer subcontracting clauses to audit, and native reversibility. The CIO keeps control of the infrastructure that actually hosts the records.

The value for the HealthTech investor

For an investor, regulatory compliance has become a selection criterion on par with technology. In 2026, with the acceleration of medical AI projects and the entry into force of the AI Act, it weighs as heavily as features in an investment decision.

A platform whose architecture respects medical confidentiality by design reduces the portfolio's legal risk. It also structures a rare asset: the volume of global medical data doubles every 73 days according to IDC estimates. Structured, lawfully exploitable health data is the underlying asset of HealthTech value.

Limits and challenges to be aware of

Transparency about limits is part of the rigour expected of an institution. Here are the main real-world challenges.

• The adoption curve for decentralised approaches remains gradual. Architectures based on Blockchain Swarm Learning® represent a significant paradigm shift, with a real learning curve for CIO teams and the need to revise internal data governance processes.
• Frameworks evolve faster than certifications. The NIS2 directive, transposed into French law in 2024, imposes new cybersecurity requirements on healthcare institutions classified as essential entities. Any architecture must anticipate these shifts.
• The HDS v2 deadline creates schedule pressure. Hosts certified under the older v1.1 framework have until 16 May 2026 to comply with the v2.0 framework, which notably includes data sovereignty requirements.
• The hosting market remains concentrated. The French market of HDS-certified hosts creates dependency risks for institutions, particularly in medical imaging and complex EHR segments.
• The double lock is technically demanding. Correctly identifying a legal basis and an exception requires legal expertise that not every CIO team holds internally, hence the importance of a competent DPO.

These limits do not vanish with a decentralised architecture. They are better managed, because the data stays under the institution's direct control.

FAQ

Is a patient's email address health data?
Not on its own. It becomes health data when associated with a medical context that reveals a health status, for example a file of patients followed for a specific condition. The context qualifies the data.

Is patient consent enough to process their health data?
Explicit consent is one of the Article 9 exceptions, but it does not remove the need for an Article 6 legal basis. The legal basis and the derogation are two distinct requirements, both of which must be justified.

Does a hospital hosting its own records need HDS certification?
No. HDS certification applies to hosting on behalf of a third party. A practice or institution hosting its own records on its internal servers is not subject to it. As soon as an external provider is involved, the obligation applies.

What does the European Health Data Space (EHDS) change?
The EHDS, a regulation adopted in 2024, affects hosting obligations from 2026 onward. It aims to harmonise health data sharing across Europe, reinforcing the value of interoperable, sovereign architectures.

Is a DPIA mandatory for an EHR?
Yes in almost all cases. Article 35.3.b of the GDPR requires a mandatory impact assessment for large-scale processing of special categories of data. A hospital EHR falls into this category.

Where does data stay with Galeon?
Data stays on the hospitals' servers and is not placed on the blockchain. Only the AI algorithms move to be trained in a decentralised way.

In summary

Health data is any information revealing a person's health status, and its processing is prohibited by default unless a strictly framed Article 9 exception applies. Processing it lawfully requires a double lock: a legal basis and an exception, completed by a DPIA and, in most cases, a DPO. GDPR governs processing, HDS certification governs hosting, and both are mandatory without ever substituting for one another. In 2026, the HDS v2 migration and the arrival of the EHDS make data sovereignty decisive. Galeon answers this regulatory stack with a single principle: data never leaves the hospital, only algorithms travel, turning the compliance constraint into a structural advantage for institutions and investors alike.

Want to go further ? Let's see our article about HDS certification

Sources

• CNIL, General Data Protection Regulation (GDPR), Article 9 and Recital 52
• CNIL, Formalities for processing health data
• GDPR, Article 4(15) (definition of health data) and Article 9 (special categories of data)
• French Digital Health Agency (ANS), HDS certification, health data host
• French Digital Health Agency (ANS), The EHR component of the Ségur "Hospital corridor" digital health programme
• HDS v2.0 certification framework (compliance deadline 16 May 2026, ISO 27001:2022 alignment)
• European Health Data Space (EHDS) regulation, adopted in 2024
• NIS2 directive, transposed into French law in 2024
• IDC (International Data Corporation), estimates on the global volume of medical data
• Galeon, HDS certification in 2026: what every hospital must check before signing
• Galeon, Choosing a health data host (HDS) in 2026
• Galeon, Intelligent EHR vs traditional EHR: why hospitals are switching to AI in 2026

‍