When you share patient data as a doctor, for example, referring your patient to a cardiologist colleague, you are ‘disclosing personal data’. You don’t have to disclose the transfer of the information to the patient or data subject if you are still respecting professional confidentiality. The receiver or recipient of this data then becomes the data controller with the inherent obligations.
Patients too have the right to take their data with them wherever they go, this is the right to data portability.
Apps are not covered by professional confidentiality. So any changes in who has access to or is processing the data have to be informed in full to the app user including the identity of the new app data controller, the categories of data which will be used and the recipients of the data among others. It is a long list, but how many people just click on the “updated terms and conditions” without reading them? Most of us…
Being based outside the EU does not exempt an app from complying with GDPR if the data subject or app downloader is based in the EU. So unless you are 100% certain that you are complying with GDPR you should limit your app store access to countries not covered by the GDPR.
If the data is being shared outside the EU (of particular interest in the context of Brexit), then similar levels of protection should be requested. Chapter V covers the transfer of data outside of the EU and clearly states that once the EU has decided if the minimum requirements are met, this has to be reviewed every 4 years. It is the European Commission who decides if the standards are being met