Dutch Data Protection Authority clarifies application of GDPR's right to be forgotten and data portability to medical records

The Dutch Data Protection Authority (DPA) recently published information on its website with respect to the application of the right to be forgotten and data portability to medical records under the General Data Protection Regulation ((EU) 2016/679) (GDPR).

According to the DPA, the right to data portability applies only to the personal data that the patient has actively and consciously provided, including through the use of a service or a device. Other data that has not been provided directly or through the use of a service or device by the patient do not benefit from the right to data portability, such as the conclusions, diagnoses, suspicions or treatment plans that a physician determines on the basis of information provided by the patient.

Furthermore, the scope of the application of the right to be forgotten to a patient's medical records is governed by the Act on the Medical Treatment Agreement (WGBO). The WGBO stipulates that healthcare providers must keep each patient's medical records for 15 years, but patients may ask for their data to be erased before this period has expired. The healthcare provider must comply with this request within three months, unless specific regulations require that the data be kept. The patient must be informed on the grounds of any rejection. If only part of the patient's medical records is erased, the healthcare provider can state on the file which part has been deleted at the patient's request.

A prior version of this post was originally published by the same author in Practical Law – Life Sciences, April 2018 issue (Thomson Reuters).