OPENREGULATORY
Sign in Get started
Ask a question
Quality Management 1 answer

How to ensure GDPR compliance for patient data logging in a digital health clinical trial?

Anonymous · Published February 24, 2026 · 1 comment
We are preparing to launch our first clinical trial for a digital health app for diabetes. Our process is as follows: collect patient data via the app, store it locally, export the data, send it to the cloud, and then store it in the cloud. We have already addressed consent, but need advice on the technical steps for GDPR compliance.
Our questions:
  • Is it necessary to encrypt data locally on the device if the local database (e.g. ISAR DB) does not offer encryption at rest?
  • What are best practices for exporting data in a GDPR-compliant way to transfer it securely to the cloud?
  • We are considering using Firebase Storage as our cloud database. While Firebase claims to encrypt data in transit and at rest, there are concerns about data residency and GDPR compliance if data is stored outside the EU. Has anyone used Firebase for similar applications, or are there better cloud alternatives?
  • Since there will be no third-party use of the data, is pseudonymization still relevant in our case?

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

Anonymous 4 months ago
Advice on local encryption and cloud provider selection would be particularly helpful, especially regarding EU data residency requirements for health data.
 Reply to this comment

Discussion

1 Answer

Accepted answer Dr. Oliver Eidel · Founder & CEO, OpenRegulatory ·
There's rarely a single clear answer for GDPR compliance since it depends on your specific use case, but here are some practical points:
  • For local storage, encrypting sensitive data on the device is strongly recommended if the database (like ISAR DB) doesn't provide encryption at rest. This reduces risk if the device is lost or stolen.
  • When exporting data, make sure to use secure channels like HTTPS/TLS. Ideally, data should be encrypted before export, and only decrypted in a secure environment in the cloud.
  • Firebase can technically be used under GDPR, but there are growing concerns about data residency and control, as some EU authorities are questioning Google solutions. To minimize risk, you can either encrypt data before sending it to Firebase (and keep the key out of Google’s reach) or use a fully European cloud service. Some alternatives include Open Telekom Cloud, StackIT, or specialized providers like chino.io.
  • Even if you do not share data with third parties, pseudonymization is still a recommended practice under GDPR, as it helps reduce risk in case of breaches and demonstrates proactive data protection.
Also keep in mind that if your project qualifies as a clinical investigation under MDR, additional data privacy requirements may apply.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
Want to add your answer to this question?
Write an answer under your name by logging in or signing up, or post anonymously.

Keep reading

All questions
Blog

DiGAs and the Telekom Cloud Run On Chinese Software From Huawei. Say What?

Updated over 1 year ago

Dr. Oliver Eidel

QMS Software

How We Keep Your Formwork Data Safe

Updated over 1 year ago

Dr. Oliver Eidel

Technical and Organizational Measures

Technical and Organizational Measures

Sven Piechottka

updated about 2 years ago

Still have a question? Ask a question here publicly — for free.

Or talk to one of our consultants — first calls are free. Check out our services and prices.

Looking to automate your regulatory work? Check out our eQMS, Formwork. Built for lean, founder-led companies. There’s a free version too.