DSGVO Wissen
GDPR Art. 9

C – Health sector ((h) and para. 3)

Art. 9(2)(h) and (3) GDPR – When health data may be processed for medical care and who may do so.

Back to the Art. 9 GDPR overview | C. Exceptions – overview

At a Glance

Art. 9(2)(h) is the most important exception for the healthcare sector. It allows the processing of sensitive data where it is medically necessary – for example, for diagnosis, treatment or billing. In addition, Art. 9(3) requires that only certain professionals subject to a statutory obligation of professional secrecy may process such data.

Conditions

For processing under (h) to be permitted, all three conditions must be met:

  • a) Processing is necessary for a healthcare purpose (e.g. diagnostics, treatment, occupational medicine)
  • b) There is a legal basis in national or EU law for the processing
  • c) Processing is carried out by professionals subject to a statutory obligation of professional secrecy (Art. 9(3)) – applies if x and y:
    • x: It concerns one of the covered professional groups (doctor, dentist, psychotherapist, pharmacist, nursing staff)
    • y: Professional secrecy is anchored by law or professional rules – applies if y1 or y2:
      • y1: The person is themselves bound by professional secrecy (e.g. doctor under § 203 StGB)
      • y2: The person works under the responsibility of someone bound by professional secrecy (e.g. hospital administration under medical leadership)

I. For which purposes does (h) apply?

PurposeExample
Medical diagnosticsStoring diagnostic data in the patient record
TreatmentSharing findings between doctors of the same team
Preventive healthcareVaccination records, preventive examinations
Occupational medicineAptitude examinations by the company doctor
System administrationBilling of statutory health insurance services

Not covered by (h):

  • Processing for research purposes → (j) applies for this
  • Processing for marketing purposes → no exception available
  • Processing by insurers → only where there is a direct healthcare nexus

II. What does "necessary" mean?

Processing may only take place to the necessary minimum. Where there is a less intrusive means achieving the same purpose, that means must be used.

In Germany, for example, the following provisions satisfy this requirement:

LawContent
§ 22(1) no. 1(b) BDSGGeneral healthcare
§ 630f BGBDocumentation duty in the patient record
§§ 295 et seq. SGB VBilling in statutory health insurance
State hospital lawsInpatient care

IV. Who may process the data? (Art. 9(3))

Art. 9(3) imposes an additional personal requirement: health data under (h) may only be processed by professionals subject to a statutory obligation of professional secrecy – or under their responsibility.

Professional groupProfessional secrecy
Doctors§ 203 StGB, professional code
Dentists§ 203 StGB, professional code
Psychotherapists§ 203 StGB
PharmacistsProfessional code
Nursing staff§ 203 StGB (with appropriate qualification)
Hospital administrationOnly under medical responsibility

Important: A purely contractual confidentiality obligation (e.g. NDA) is not sufficient. Professional secrecy must be anchored by law or professional rules.

IT service providers in the healthcare sector

An IT service provider does not themselves have a duty of professional secrecy. They may still operate – but only if:

  • The controller (e.g. the hospital), as the holder of professional secrecy, bears overall responsibility
  • The IT service provider acts under the supervision and instructions of the controller

V. Distinction from (i) (public health)

(h)(i)
FocusIndividual care of the individual patientPopulation-level measures
ExamplesDiagnosis, treatment, therapyEpidemic control, epidemic surveillance
Cumulable?Yes – both grounds can apply simultaneouslyYes

Frequently Asked Questions (FAQ)

May the doctor share my data with another doctor? Yes – where this is necessary for treatment and both are bound by professional secrecy.

May the hospital administration read my patient record? Only insofar as this is necessary under medical responsibility and for the provision of care.

What about research at the hospital? For this, (h) does not apply, but (j) (research and statistics) – with its own requirements.

Does the hospital need an additional legal basis under Art. 6? Yes. (h) does not replace Art. 6 – both must be fulfilled in parallel.

Next: D. Opening clause

C – Explicit consent ((a))

Art. 9(2)(a) GDPR – When and how consent allows the processing of sensitive data, and what to bear in mind.

D. Opening clause (para. 4)

Art. 9(4) GDPR – What EU Member States may regulate in addition for genetic, biometric and health data.

On this page

At a GlanceConditionsI. For which purposes does (h) apply?II. What does "necessary" mean?III. What legal basis is required?IV. Who may process the data? (Art. 9(3))IT service providers in the healthcare sectorV. Distinction from (i) (public health)Frequently Asked Questions (FAQ)