Skip to main content
Shaping Europe’s digital future logo
Shaping Europe’s digital future

Privacy code of conduct on mobile health apps

The privacy code of conduct on mobile health apps aims to promote trust among users and provide a competitive advantage for those who sign up to it.

© iStock by Getty Images - 1141201617 marchmeena29

The first versions of the code of conduct for mobile health apps were prepared against the background of the European Commission's 2014 mobile health green paper consultation. The consultation revealed that people often do not trust mobile health apps because of privacy concerns.

Following this consultation, the European Commission encouraged industry stakeholders to create a privacy code of conduct on mobile health apps in order to increase trust.

The objective was that the code of conduct would obtain the formal approval of European data protection authorities. Under the current General Data Protection Regulation (GDPR), the role of assessing codes falls under the mandate of the European Data Protection Board. Codes approved by the European Data Protection Board can be granted general validity across the EU through an implementing act.

History and current status

The work on a mobile health code of conduct started in April 2015, when a drafting team of industry members started developing the text of the code. The European Commission acted as a facilitator, providing legal and policy expertise and resources and overseeing the development of this work.

This drafting team included the App Association (ACT), App developers Alliance, Apple, COCIR, Digital Europe, ECHA, DHACA, EFPIA, Google, Intel, Microsoft, Qualcomm and Samsung. They worked through regular meetings, and presented the work at various events in order to obtain further feedback. The vision was that the code should be easily understandable for SMEs and individual developers who may not have access to legal expertise.

An early version of the work was submitted by the drafting team to the Article 29 Working Party in June 2016 for a first round of feedback. Following various suggestions for improvement from the Working Party, the Code was reworked (.pdf), and formally submitted on 7 December 2017, requesting approval under the Data Protection Directive.

The Working Party published its assessment in April 2018. It found that the criteria of the GDPR should be applied, and that the existing code did not yet adequately address these requirements. As a result, the Code was not approved.

Next steps

The Commission is engaged with a range of industry stakeholders in order to encourage the further development of the current draft Code, so that it may be submitted to the European Data Protection Board in the future to seek a formal approval.

Main provisions for app developers

The current draft of the Code consists of practical guidance for app developers on data protection principles while developing mobile health apps. The Code addresses notably the following topics:

User consent 

The user consent for the processing of personal data must be free, specific and informed. Explicit consent needs to be obtained for the processing of health data. Any withdrawal of consent has to result in the deletion of the user's personal data.

Purpose limitation and data minimisation

The data may be processed only for specific and legitimate purposes. Only data that are strictly necessary for the functionality of the app may be processed.

Privacy by design and by default

The privacy implications of the app have to be considered at each step of the development and wherever the user is given a choice. The app developer has to pre-select the least privacy invasive choice by default.

Data subject rights and information requirements

The user has the right to access their personal data, to request corrections and to object to further processing. The app developer needs to provide the user with certain information on the processing.

Data retention 

Personal data may not be stored longer than necessary.

Security measures

Technical and organisational measures need to be implemented to ensure the confidentiality, integrity and availability of the personal data processed and to protect against accidental or unlawful destruction, loss, alteration, disclosure, access or other unlawful forms of processing.

Advertising in mobile health apps

There is a distinction between advertising based on the processing of personal data (requiring opt-in consent) and advertising not relying on personal data (opt-out consent).

Use of personal data for secondary purposes

Any processing for secondary purposes needs to be compatible with the original purpose. Further processing for scientific and historical research or statistical purposes is considered as compatible with the original purpose. Secondary processing for non-compatible purposes requires a new consent.

Disclosing data to third parties for processing operations

The user needs to be informed prior to disclosure and the app developer needs to enter into a binding legal agreement with the third party.

Data transfers

For data transfers to a location outside the EU/EEA, there needs to be legal guarantees permitting such transfer, e.g. an adequacy decision of the European Commission, European Commission Model Contracts or Binding Corporate Rules.

Personal data breach

The code provides a checklist to follow in case of a personal data breach, in particular the obligation to notify a data protection authority.

Data gathered from children

Depending on the age limit defined in national legislation, the most restrictive data processing approach needs to be taken and a process to obtain parental consent needs to be put in place.


Harnessing innovation to unlock the potential of rural and remote areas

Digitalisation has enormous potential to transform life and opportunities in rural and remote areas. Our recent experience has proven that digitalisation can bridge physical distances to bring opportunities and services to us no matter where we live – so long as we have good digital connectivity. Yet, paradoxically, the exponential role of digital connectivity, services and skills over the past couple of decades has exacerbated rural-urban disparities, where it should have healed them.

Open market consultation - PCP on emergency medical services in security situations

The iProcureSecurity buyers group of nine healthcare buyers from five countries (Greece, Italy, Spain, Austria and Turkey) is inviting interested bidders to participate in the open market consultation for their upcoming pre-commercial procurement, via a number of online and physical meetings between mid January - April 2022. The PCP aims for new innovative triage management systems that will strengthen the resilience and interoperability of emergency medical services in security situations.

Virtual reality games improve rehabilitation - Tech4Care's journey, from an idea to the market thanks to PCP

In 2017-2020, Tech4Care developed and tested a virtual reality (VR) based system for stroke rehabilitation for a pre-commercial procurement led by healthcare organisations in Northern Ireland and Italy. This accelerated the internal R&D activity, boosted the company's growth and sustained the development of further digital health products, now available in the market. The solutions enables stroke patient to perform rehabilitation comfortably at home by means of a set of adaptive serious immersive VR games, with remote monitoring by clinical staff.

Open market consultation: pre-commercial procurement - quick response for patients with advanced heart failure

The TIQUE Buyers Group of healthcare providers from Spain, Italy and Sweden have identified a common need for the transformation of health and care services for patients with advanced heart failure and co-existing chronic conditions, frail or at risk of becoming frail. They invite potentially interested bidders to participate in the open market consultation of their upcoming pre-commercial procurement that aims to develop and test integrated care approaches to treatment for those patients. The consultation takes place in the form of online meetings between 7 October and 4 November 2021.

Related Content

Big Picture


The European Commission is working to provide citizens with access to safe and top quality digital services in health and care.

See Also

Managing health data

The European Commission adopted a Communication and a Staff Working Document on Digital transformation of health and care to boost European Union action.

eHealth experts

The European Commission created two expert groups working on eHealth: the eHealth Stakeholder Group and a temporary eHealth Task Force.