After What Maximum Period Must a Patient's Medical Records Be Deleted?

ANSWER

The retention period for medical records — which is, as a rule, 20 years, or 30 years in the event of a patient's death — constitutes the maximum period during which medical practitioners, and thus data controllers, may retain medical records and process the personal data contained therein. From the perspective of the GDPR, retaining personal data beyond this prescribed period would breach the storage limitation principle under Article 5(1)(d) GDPR. This principle provides that personal data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data are processed. The statutory period of 20 (30) years for the archiving of medical records therefore constitutes the maximum period for which personal data may be processed for that specific purpose. Upon the expiry of that period, the personal data (medical records) must be deleted.

As regards the argument that it may not be possible to determine when the 20-year period expires in a given case, this may not constitute sufficient justification during an inspection by the supervisory authority. The data controller's obligation is to implement appropriate technical and organisational measures to comply with the requirements imposed by the GDPR (Article 24(1) GDPR). Accordingly, the data controller is required in this case to ensure that its organisation of work is such that it knows when the last entry was made in the medical records and when the 20-year period, calculated from the end of the calendar year in which the last entry was made, will expire — thereby enabling the subsequent deletion of those medical records. This follows directly from Article 29(1) and (2) of the Act on Patients' Rights and the Patient Rights Ombudsman.