Online doctor’s appointments: Data protection advice for practices and patients

Contents

Doctor's appointments are increasingly being made online. However, it is unclear what service providers and medical practices are allowed to do. As a result, more and more complaints are being received about appointment booking portals, especially by Maike Kamp, the Berlin data protection officer responsible for Doctolib. As both patients and practice owners are unclear, the Data Protection Conference (Datenschutzkonferenz, DSK), which Kamp chairs, is responding to frequent questions from practitioners.

Although hardly any data is actually required to book appointments, some systems require access to patients' master data. Due to the growing number of requests for advice, the DSK has written a position paper "Data protection in appointment management by medical practices" – for the data protection-compliant use of service providers for online appointment bookings and appointment management.

If appointment management is outsourced, patient data is also processed by the service provider commissioned by the practice. Although patient consent is not required for this, patients must be informed about the use of service providers for appointment management. In addition, there should "always be an alternative option" for the allocation of appointments. If practices process patient data to allocate treatment appointments, either patient consent or a legal basis is required. It is often unclear to what extent patient data may be processed.

According to the data protection experts (PDF), only data that is necessary for entering appointments should be used, "i.e. in particular name, date of birth, treating doctor, type of appointment (e.g. check-up, X-ray) and a contact option", for example for last-minute appointment changes. "Only the patient data required to arrange a specific appointment is required for a service provider to make the appointment."

The data protection experts emphasize that "as a rule, no blanket provision of master data of all patients ever treated in the medical practice to the commissioned service provider is required in advance". The required data is "regularly communicated by the patients themselves when making an appointment online or collected by the medical practice when scheduling an appointment on site or by telephone and entered in the appointment calendar".

Only with express consent

However, an appointment reminder is conceivable as a service offer, "provided that the patients agree to this upon request and are informed accordingly, the contact data required for this purpose may also be processed depending on the communication channel selected", clarifies the DSK. It is important that the practice can prove that consent has been given.

In addition, the medical practice must provide "meaningful information about the external appointment scheduling and management" and also which company is the "recipient of the data". If patients create a user account with one of the service providers and they conclude a contract with the appointment management company, "the appointment management company" is responsible under data protection law. "If health data is also processed in the process, the appointment management company generally requires effective consent from the users concerned," the statement reads.

At the beginning of the year, Doctolib informed patients in its privacy policy that it intends to use data for AI training purposes. Consent is required for health-related data. If "no health data is involved", Doctolib cites "legitimate interest" as the legal basis for data processing.

No further data processing by service providers

The data processed in the appointment calendar may not simply be further processed by the service provider for its own purposes. "If the service provider is aware that this data is being used for its purposes, the medical practice is obliged to ensure that its service provider complies with data protection regulations," the report states. In addition, the entries in the appointment diary must be deleted "in a short timeframe". "This is because entries in the appointment diary are not part of the treatment documentation as such and are therefore not subject to the documentation obligation under professional law," explain the data protection experts.

Medical practices are responsible for data processing, including whether the service provider takes suitable data protection measures such as "client separation" or whether the web application and "interlinking" with the practice management system are secure or whether deletion deadlines are observed. It happens time and again, for example, that patients are surprised to receive a text message from their doctor reminding them of an appointment; sometimes the reminders are even addressed to other people. According to data protection experts, a "clear separation of responsibilities is required" that is recognizable to patients.

Internal security and freedom

At its interim conference on June 16, 2025, the DSK also adopted a resolution on the relationship between internal security and freedom (PDF). The background to this is the current debate on the amendment of various security laws. "Freedom and security are indispensable prerequisites for a democracy. Security also includes people in the country being able to rely on the state and its institutions respecting their rights and freedoms and complying with constitutional laws and given guarantees. Data protection law is of central importance here, as it ensures that state data processing complies with the rule of law", said Kamp.

The DSK also provides guidance on TOMs (technical and organizational measures) for the development and use of AI systems (PDF). "Considering the extensive processing of personal data and the potentially high risks, data protection is highly relevant for AI systems", explains Meike Kamp. The guide is intended to help people think about data protection from the outset.

(mack)