DE  |   -- EN  |   -- RU

Health Data Protection in Germany

We advise on data protection in healthcare

Health data are sensitive personal data that are covered by special legal protection in Germany and Europe. Health data include all data which relate to the health condition of a data subject and reveal information about the data subject’s former, present, or future physical or mental health condition.

When health data are concerned, it is irrelevant, which body processes said data. As a consequence, hospitals, doctors’ offices, care facilities, health insurances, pharmacies, research institutions, and even other organizations processing health data, like mutual aid fellowships or foundations aiming at promoting public health and public healthcare mandatorily have to address health data protection in Germany.

As, in addition, digitization is also playing an increasingly important role even in healthcare (electronic patient files, telemedicine, health apps), the data protection and data security requirements are very likely to continue to increase in the future.

Special protection of health data in Germany

Data concerning the health condition of a person, including data about a disease, treatment, or diagnosis, risks of disease, genetic data or visits to the doctor constitute highly sensitive information. If such data fall into the wrong hands, the consequences for the person concerned may be very unpleasant. Hence, the level of data protection must be very high when health data are concerned.

Due to their high sensitivity, the General Data Protection Regulation (GDPR) protects health data as “special categories of personal data”. In addition, sector-specific provisions need to be observed. These include

  • provisions of the social codes,
  • the German E-health Act,
  • federal state laws on hospitals, or
  • the professional codes of ethics for physicians and pharmacists.

Healthcare facilities run by churches are additionally subject to independent ecclesiastical data protection laws.


Privacy and Cyber Security in Germany 2019

(Chapter in the the Law Review series)

Our privacy experts contributed a chapter to the handbook The Privacy, Data Protection and Cybersecurity Law Review. Read here for free

No health data without data protection concept

In addition to the requirements under data protection regulations, medical secrecy must also be protected.

In order to fulfill their responsibilities in terms of data protection, all entities processing health data are required to implement an efficient data protection concept. Given the high degree of complexity of health data protection, we offer you professional assistance based on our extensive practical expertise in the field of data protection law.

Our consulting services in health data protection

Your data protection in the hands of experts! We will be pleased to assist you in designing health data processing chains that comply with German legal requirements while being adapted to your practical needs.

Our consulting services in health data protection include:

  • Reviews for compliance with data protection provisions and development of data protection concepts
  • legal assessments of matters relating to health data protection
  • conducting employee training programs, e.g. for physicians, nursing staff, receptionists
  • consulting in connection with the use of external service providers (so-called “digital health providers) e.g. for patient data administration
  • designing all processes in compliance with European data protection regulations, e.g. patient admission, documentation of examination results, and patient discharge
  • consulting on health data transmissions to third parties, like other specialist departments, accounting centers, social security, medical service of the health insurances, in compliance with data protection regulations
  • consulting on introducing and designing data processing programs (like hospital information systems) and creating authorization concepts in compliance with data protection regulations
  • drafting the required documentation, like letters of commitment, declarations of approval, or confidentiality release forms
  • consulting on the documentation, archiving, and erasure of health data in compliance with data protection regulations
  • consulting on designing e-health offers, like e-health apps, online-assisted appointment scheduling etc. in compliance with data protection regulations
  • consulting with respect to the data protection impact assessment required by art. 35 of the GDPR
  • provision and tasks of an external data protection officer
  • introduction of processes ensuring and implementing the rights of data subjects, like information requests

Your attorney for health data protection

Your contacts for questions relating to any aspects of health data protection areAttorney Olga Stepanova, Attorney Patricia Jechel and Attorney Lars Gerbe​​​​​​​. Please do not hesitate to contact us. The easiest way to reach us is via e-mail ( or by phone (+49 (0) 69 76 75 77 80). 

"Privacy Law":Recent blog posts

German Telecommunications Telemedia Data Protection Act Simplifies Consent to Cookies

- Olga Stepanova

German Telecommunications Telemedia Data Protection Act Simplifies Consent to Cookies

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

- Patricia Jechel

Compensation For GDPR Damages Only in The Event of Damage That Has Actually Occurred

Do Companies in Germany Need to Report Ransomware Attacks?

- Olga Stepanova

Do Companies in Germany Need to Report Ransomware Attacks?


1652973078 > 1656540000

WINHELLER and "Steuerberater Matussek" from Aalen have joined forces





Juve AwardLegal 500 Germany 2019
azur100: Top Employer for Lawyers 2021


Stay up to date with our quarterly German Business Law newsletter!

Subscribe for free