Using and sharing health data
Data about someone’s health is special personal data. This health data is processed in a medical record, for example. But a social worker’s record may also contain such data. Special personal data receives additional protection under the General Data Protection Regulation (GDPR).
On this page
It is important that all people who use healthcare are assured that their health data is safe. To ensure this, the GDPR and healthcare legislation clearly state which (additional) rules healthcare providers must comply with when they process (use) health data.
For example, to protect health data, a healthcare provider is required to:
- conduct a data protection impact assessment (DPIA) (Article 35 GDPR) when processing health data (on a large scale);
- appoint a Data Protection Officer (DPO) (Article 37 GDPR).
More information
Brochure Electronic data exchange in healthcare from the Ministry of Health, Welfare and Sport
Website of the Association of Healthcare Providers for Healthcare Communication (VZVZ), the manager of the National Exchange Point (LSP).
Quick answers
To whom can I turn if I have a question or complaint about the processing of my health data?
Do you have a question or a complaint about the processing of your health data by your care provider or healthcare provider? For example, because you believe your care provider has violated medical confidentiality? Please discuss your question or complaint with your care provider first.
If you not satisfied with the outcome of that discussion, or don’t want to have such a discussion, you have various options. For example, you can contact the Data Protection Officer (DPO) of your healthcare provider. The DPO is the person who stands up for (your) privacy interests within the healthcare institution.
Want to initiate a formal procedure? You can:
- submit a complaint to the complaints body with which your healthcare provider is affiliated (by law);
- initiate proceedings before the disciplinary court with a complaint about violation of medical confidentiality;
- submit a complaint to the Dutch Data Protection Authority (DPA).
Is a processing register mandatory for small healthcare practices or healthcare providers?
Yes, usually it is. According to the GDPR, organisations with fewer than 250 employees are obliged to establish a processing register when they process personal data:
- that pose a high risk to people’s rights and freedoms; and/or
- the processing of which is not temporary; and/or
- that fall under the category of special personal data.