What is the legal basis for personal data processing by a medical facility, and how should the information obligation towards patients be fulfilled?

ANSWER

As a rule, the legal basis for personal data processing by healthcare providers and medical facilities is Article 9(2)(h) GDPR for special category personal data, and in other cases Article 6(1)(c) GDPR. There is no need to obtain additional consent under Article 6(1)(a) or Article 9(2)(a) GDPR for the purposes of preventive or occupational medicine, assessment of an employee's working capacity, medical diagnosis, or the provision of health or social care.

However, the information obligation under Article 13 GDPR must be fulfilled towards data subjects (patients). This information obligation may be met by displaying a notice, for example at reception. Its content may also be provided in the form of a written statement. If patients provide their data by telephone or email, it is also permissible to provide the information obligation by telephone or email. The information obligation should be fulfilled once, at the time of collecting personal data for a specific processing purpose. Therefore, when providing their personal data, the patient should have the opportunity to read the content of the information obligation.