Medical Device or Lifestyle Gadget?: The Regulatory Gray Area of Wearables

The General Data Protection Regulation (GDPR) sets high standards for the processing of personal data—especially in the healthcare sector. Medical wearables collect and store sensitive information about their users' health, which is why they are subject to particularly strict data protection guidelines. But how compliant are wearables actually with the GDPR, and what measures must manufacturers and users take to meet the legal requirements?

1. Why does the GDPR affect medical wearables?

Medical wearables collect a variety of sensitive data, including:

• Vital signs such as heart rate and blood pressure
• Sleep and movement profiles
• Disease progression and health status
• Location and activity data

According to the GDPR, health data is considered particularly sensitive, meaning that it may only be processed under strict conditions. Companies that develop or use wearables must therefore take special measures to ensure that data processing is GDPR-compliant.

2. What are the data protection issues with wearables?

a) Lack of user consent

Many wearables collect data automatically, often without the explicit and informed consent of users. According to the GDPR, consent must be voluntary, specific, informed, and unambiguous.

b) Non-transparent data processing

It is often unclear exactly what data is collected, stored, and shared with third parties. Unclear privacy policies and difficult-to-understand terms of use make it difficult for users to make informed decisions.

c) Storage and transmission of data

Some wearables store health data in unencrypted form or transmit it to servers outside the EU, which may violate GDPR requirements.

d) Inadequate deletion policies

The GDPR requires that personal data be deleted as soon as it is no longer needed. However, many providers do not have clear policies for data deletion or do not give users the option to completely remove their data.

3. Measures for GDPR compliance

In order to meet the requirements of the GDPR, manufacturers and users must take a number of essential measures:

• Obtain explicit and informed consent: Users must be informed in a clear and understandable manner about what data is collected and processed.
• Practice data minimization: Only data necessary for the intended purpose should be collected and stored.
• Secure storage and encryption: Health data must be encrypted during storage and transmission.
• Enable data access and deletion: Users should have access to their stored data at any time and be given the option to delete it.
• Provide transparent privacy policies: Companies should formulate their privacy policies in understandable language and disclose how the data is handled.

Conclusion: Strict requirements require careful implementation

The GDPR sets high standards for the data protection of medical wearables. Manufacturers are obliged to strictly comply with the legal requirements in order to avoid violations and heavy fines. Users should be aware of what data they are disclosing and what rights they have with regard to their personal information.

In the next article, we will deal with a related topic: “Medical device or lifestyle gadget? The regulatory gray area of wearables.”

FAQ about Wearables