Privacy and Protection of Health Data in Germany: A Strict System and Patient Safety
In Germany, health data is considered one of the most sensitive types of information. The law protects it strictly, often with a security level treated as even higher than bank account data. Protecting this information is not optional—it is a legal obligation for all parties: doctors, insurers, hospitals, and even health apps.
Which laws govern the protection of health data?
EU General Data Protection Regulation (GDPR / DSGVO)
applies across all EU member states
classifies health data as a special category requiring extra protection
Federal Data Protection Act (BDSG)
complements the GDPR and defines how it is implemented in Germany
Medical confidentiality law (§ 203 StGB)
criminalizes the disclosure of patient secrets by doctors or clinic staff
Who is allowed to access your health data?
| Entity | Access is only allowed if … |
|---|---|
| treating doctor | you have given written or electronic consent |
| health insurance provider | within treatment/billing limits and after patient consent |
| hospital | during inpatient treatment, with confidential record handling |
| health apps (e.g., ePA) | after clear user activation and detailed consent |
Even family members cannot access it without explicit permission.
How is your data protected in practice?
End-to-end encryption for stored or transmitted data
Multi-step authentication for apps or ePA access
Data storage on certified servers within the EU
Strict internal controls in healthcare institutions
Many institutions must appoint a Data Protection Officer (Datenschutzbeauftragter)
What about health apps on your phone?
Within official frameworks, only officially approved applications (such as DiGA listed by BfArM) are allowed to handle health data under conditions such as:
Transparency in the privacy policy
Explicit user consent
Storage on secure internal server environments
Apps without official approval may pose a risk to your privacy, even if they seem “convenient” or free.
What are your rights as a patient?
You can, at any time:
request a copy of your medical data (right of access)
request corrections (right to rectification)
withdraw your consent to share data
file a complaint with your state data protection authority
What happens if your data privacy is breached?
fines for the institution/doctor that can reach millions of euros
your right to claim compensation in court
immediate action by the data protection supervisory authority
Summary
| Point | Explanation |
|---|---|
| Who owns your data? | You—as the patient |
| Can it be shared? | only with your clear consent |
| Who protects it? | GDPR + BDSG + professional rules |
| Penalty for leaks? | heavy fines and, in some cases, imprisonment |
—
Our writers and editors aim to provide accurate information through extensive research and reviewing multiple sources. However, mistakes may occur or some information may be unconfirmed. Please consider the content as initial guidance and always consult the relevant authorities for verified information.
