What kind of personal data is normally being processed in the healthcare sector and how critical are the processings?

Medical treatment regularly requires the processing of information about the biological and / or psychological state of patients. To ensure an adequate and promising treatment, it will often be necessary to share the collected health data with other health-practitioners such as more specialized doctors or hospitals.

Furthermore, the specialization of modern health industry entails the involvement of service providers that are taking over payment transactions and / or other interactions with the patient.

The increasing digitalization, triggered partially also by modernized statutory regulation, allows for a more flexible communication with patients via "doctor consultation apps" or health portals enabling the patient to easily upload sensitive files about their state of health.

Which privacy laws and provisions have to be respected in the healthcare sector?

The GDPR considers health data as special personal information that may be processed only under exceptional circumstances.

Both the GDPR and the Federal Data Protection Act provide for excemptions enabling the collection of health data for treatment purposes. However, doctors and other responsible parties should carefully assess to which extend the involvement of individual service providers – e.g. cloud-storage or health app providers – complies with data protection law, especially when it comes to data transfers to so-called unsafe third countries.

Another compliance duty of often underestimated importance is the notification of patients regarding the processing of their data. This notification must take place not only on time (= before the processing has started) but also in a way that is suitable to indicate the potential risks resulting from digital health solutions such as health trackers or the transmission of data via unencrypted messaging.

Which compliance risks must be considered and what has been the focus of supervisory authorities and courts?

If data in the healthcare sector is not processed in accordance with the law, this can have a strong personal impact on the lives of the persons concerned (e.g. patients). This would be the case, for example, if health data is shared with unauthorised third parties.

Against this backdrop, the processing of data in the healthcare sector has already been the subject of various statements by authorities and court judgements.