GDPR for Medical Practices and Therapists: 8 Obligations
TL;DR
- Patient data is special-category data under Art. 9 GDPR — heightened protection standard
- Medical confidentiality (Section 203 StGB — German Criminal Code) sits on top of GDPR — breaches may trigger criminal liability
- 10-year retention for patient records (Section 630f BGB), longer for radiation therapy (30 years)
- eRezept and telematics infrastructure add BSIG (German Cybersecurity Act) obligations on top of GDPR
- Fine risk: very high due to data sensitivity — German health insurer fined EUR 250,000 in 2024
1. Patient data is Art. 9 GDPR
All patient data are special categories of personal data. The legal basis for routine treatment is Art. 9(2)(h) GDPR (provision of healthcare). The protection standard exceeds general personal data: stricter access controls, encrypted transmission, and audit logs are baseline expectations.
2. Practice management software (KIS)
A Data Processing Agreement (DPA) is required with any KIS vendor (CompuGroup, x.dental, Medatixx). EU-region hosting is strongly preferred. Document the DPA, vendor sub-processors, and the location of backup storage in your records of processing.
3. eRezept and telematics infrastructure
The German telematics infrastructure relies on connector hardware, electronic health professional cards (eHBA) and SMC-B cards. Strict BSI security standards apply. The infrastructure adds BSIG (German Cybersecurity Act) obligations alongside GDPR — both must be tracked.
4. Medical confidentiality (Section 203 StGB)
Section 203 of the German Criminal Code criminalizes the disclosure of patient information by medical professionals. It is stricter than GDPR. A breach can produce both a criminal complaint and a GDPR fine in parallel — manage them as separate but connected risks.
5. Patient access rights
Patients have a right to inspect their records under Section 630g BGB (German Civil Code) in addition to the GDPR Art. 15 right of access. The duties run in parallel; processes should satisfy both at once.
6. Retention
Default retention for patient records is 10 years under Section 630f BGB. Specialized treatments require longer: 30 years for radiation therapy, 15 years for X-ray records under Section 28 RoV. Document the retention reasoning per record category.
7. Breach handling for health data
For any data breach involving health data, individual notification under Art. 34 GDPR is effectively always required (high risk to data subjects), and damages claims are typically substantial. Treat health-data breaches as the highest-priority response category.
8. KV (panel-doctor association) connection
Data flow to the Kassenärztliche Vereinigung must use secure channels — KV-SafeNet or the telematics infrastructure. Document the channel, encryption standard, and authentication mechanism.
Summary
Medical practices operate under three overlapping regimes: GDPR, criminal-law medical confidentiality, and BSIG cybersecurity requirements via the telematics infrastructure. The combination produces the highest fine and liability exposure of any SME sector. Tightly couple the records of processing to the medical confidentiality concept and refresh both annually.
Frequently Asked Questions
Is standard GDPR compliance sufficient?
What is the fine risk?
Sources
- Regulation (EU) 2016/679 — GDPR (Art. 9 special categories) (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)
- Directive (EU) 2022/2555 — NIS2 (health sector) (As of: 2026-05-02)