Occupational health services handle some of the most sensitive personal data there is: health records, sick leave history, rehabilitation plans, and medical assessments. Yet many providers rely on systems never built with this type of data in mind. GDPR sets clear requirements — and the consequences of non-compliance are significant.

What does GDPR require of occupational health providers?

Health data is classified as sensitive personal data under Article 9 of the GDPR. This means stricter requirements than for ordinary customer records:

Legal basis — you must demonstrate why you process each data point
Data minimization — collect only what is necessary for the purpose
Retention periods — delete data that no longer has a legal basis
Records of processing — document all processing of personal data
Right of access and erasure — handle requests from data subjects within the legally mandated timeframe

In our article on the sick leave and return-to-work process, we describe how sensitive data flows between employer, employee, and provider. Every step in that chain must comply with GDPR — and the system you use determines whether that is possible.

Swedish hosting — why it matters

When health data is stored outside the EU/EEA, complex legal questions arise around third-country transfers. Even within the EU, differences exist in how data protection law is applied. Swedish hosting means:

No third-country transfers — data remains within Swedish jurisdiction
Clear regulatory framework — the Swedish Patient Data Act and GDPR apply directly
Reduced risk — fewer legal gray areas during audits or incidents

Encryption and access control

A system handling health data must have multiple security layers:

Encryption at rest and in transit

All data must be encrypted — both when stored (at rest) and when transmitted (in transit). TLS 1.2 or higher for transport. AES-256 or equivalent for storage.

Role-based access control

Not all users should see all data. An HR manager needs aggregated statistics, not individual health records. An occupational safety engineer needs risk assessments but not medical history. The system must support granular permission management.

Logging and traceability

Every access to sensitive data must be logged. During an audit by the supervisory authority, you must be able to show who accessed what and when.

Checklist for your system

Ask these questions of your system provider:

Where is data physically stored? Require Swedish or Nordic hosting.
What encryption standard is used? Accept nothing below AES-256 / TLS 1.2.
Is there role-based access? Verify that you can control permissions by role and function.
Is all access logged? Ensure audit trails exist and are searchable.
Does the system handle deletion and retention? GDPR requires that data is not stored longer than necessary.

Considering switching systems? Our checklist for switching occupational health systems covers how to migrate securely. Also read more about Portway's security approach and how the platform's occupational health features are built with GDPR as the foundation.

Ready to take the next step?

Want to know how Portway handles security and GDPR compliance in practice? Contact us for a conversation about your specific requirements, or book a demo to see the platform.