Online appointments with the doctor? Yes – but please keep it confidential!

It is often difficult to make appointments with doctors: Telephone lines are either busy or you are stuck in a waiting loop. For medical practices, making appointments is labor-intensive and time-consuming. In view of the digitalization of medical practices, it therefore makes sense to use the Internet to arrange appointments online. Almost all doctors' surgeries, many hospitals and other medical professions now offer such online appointment services.

As practical as this is, many people shy away from it because they don't trust the internet and digital services: Where does my health data end up? Will patient confidentiality be protected? Can I trust the online service? What can I do myself to maintain control over my health data?

The fears are often justified: Patients are irritated, for example, if they have made an appointment in person or by telephone and then receive an appointment reminder or confirmation by email or text message from a provider they do not know. The media report that cyber criminals have gained access to masses of patient data via appointment portals. There are also reports that doctors are allegedly making their anonymized patient data available for research or even for the training of "artificial intelligence" in return for money or reduced costs. Some patients are particularly frustrated when a doctor only makes appointments online and refers them exclusively to an external service provider.

Anyone who asks their doctor questions about this regularly encounters a lack of understanding or ignorance. Healthcare professionals are medical experts. They often do not know how their information technology works, and they regularly rely on external support even when it comes to organizing their practice. Companies exploit this ignorance by offering doctors a low-cost, carefree package and claiming that all data protection rules are observed. On closer inspection, however, the practice is in breach of data protection and medical ethics.

The following section provides answers to a number of questions repeatedly asked by patients and doctors. The answers that apply to doctors can be transferred to clinics or other medical professions.

Is online appointment management even permitted?

In principle, it is permitted to arrange doctor's appointments online and at the same time it is a relief for both the patient and the doctor. However, this is subject to the condition that medical confidentiality – patient confidentiality – is maintained. Accordingly, data relating to medical treatment must be particularly protected; this applies not only to information about diagnoses and therapies, but also to information about the doctor providing treatment or about a doctor's appointment.

How can I tell if an appointment is compliant with data protection regulations?

Unfortunately, there is currently no independent and transparent certification of appointment tools. If a provider advertises with data protection certificates, this often conceals deceptive packaging. For example, the advertised certificate is limited to individual components or special services. In most cases, the certificates cannot be verified due to a lack of transparency. Websites often claim that a service is compliant with the General Data Protection Regulation (GDPR). On closer inspection, such claims often turn out to be false.

Doctor's website or independent appointment provider?

If an online appointment tool is integrated into a doctor's website and appointment requests can be entered there directly without being referred to another provider, the web service provider is acting as a processor for the doctor and is subject to patient confidentiality as a contributor. It may not then use data of which it becomes aware for its own purposes. If, on the other hand, a doctor's website refers to an independent external online provider, as is the case with Doctolib, for example, where the patient has to set up their own account. In this case, the data collected there is not subject to patient confidentiality and is only protected to a limited extent.

A doctor only offers appointments via an external appointment provider and I want to protect my data in the best possible way: What can I do?

It is questionable under professional law whether it is permissible for a doctor to only accept appointment requests digitally. In such cases, you can complain to the local medical association. If there is no other alternative for making an appointment than an independent external provider and you are in urgent need of treatment, you can set up an account with the provider and make the appointment. After the appointment is over, you can delete the account without any disadvantages. This means that the provider must delete the data again.

Is a notice in the waiting room sufficient if a doctor uses an external appointment service?

No, personal, explicit consent is required. This presupposes that the patient has previously been personally informed about the identity of the service provider and the purpose of their involvement. Consent must be given explicitly. It must also be voluntary. This cannot be assumed if there is no alternative to consent. If someone uses an external appointment service on their own initiative, this can be seen as consent.

Is a digital appointment confirmation permissible if I have made an analog appointment?

A digital exchange with a doctor, for example by email or text message, is permitted if the patient has expressly consented to this. A digital appointment confirmation for a non-digital appointment is therefore only permitted if the patient has given their prior consent.

Do I have a right to information about my data?

Yes, Article 15 GDPR obliges data controllers to provide information about all data stored there. A request for this does not require any special form. Copies of documents must also be provided. However, if a company acts exclusively as a processor for a doctor, only the doctor is obliged to provide information.

When should my appointment data be deleted?

Appointment agreements are not subject to special documentation requirements. They must be deleted once they are no longer required. This is generally the case after the appointment has expired.

What can I do if I discover irregularities?

The data protection authority of the federal state in which the doctor or service provider is based is responsible for data protection violations. A list of addresses can be found on the website of the Federal Commissioner for Data Protection and Freedom of Information. If you have a complaint against a doctor or hospital, you can also appeal to the relevant medical association.

It is repeatedly claimed that the services offered by the widespread appointment broker Doctolib are inadmissible. Why have more and more doctors been using it for years without any complaints?

Since its 2019 annual report, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI) has regularly criticized Doctolib's appointment management service. It has received and continues to receive numerous complaints, but these have not yet been conclusively dealt with. This is because the BlnBDI and the French data protection authority (Commission Nationale de l'Informatique et des Libertés – CNIL) only agreed at the beginning of 2025 that the CNIL, and not the BlnBDI, was responsible for sanctions against Doctolib. Doctolib in Berlin is a subsidiary of a French group. It is unclear how the CNIL will deal with the complaints. It is not known why the medical associations and the public prosecutor's offices have so far remained inactive.

A detailed legal practice guide "Dealing with online appointment management systems" from data protection associations (GMDS/BvD/DVD/GDD/FED) can be found here.

(nen)