srd focus health medicine pharma


The requirements placed on the processing of health data by data protection law are complex and are further exacerbated by Book 5 of the German Social Code (SGB V), the criminal law, medical confidentiality and numerous special statutes (German Medicinal Products Act (AMG), German Act on Medical Devices (MPG) etc.). From hospitals and insurance companies to pharmaceutical and e-health companies, all players must comply with the strict requirements, despite their hectic daily routines, and take these into account when designing IT contracts. This applies in particular to the transfer and outsourcing of patient data. What is more, the healthcare sector is also becoming increasingly digitised: learning platforms for patients, health apps, 3D scans, artificial intelligence, etc. In addition to the legal requirements, the technical implementation has also increased in complexity.

The lawyers at Schürmann Rosenthal Dreyer have the necessary expertise and degree of specialisation to implement both the data protection and IT legal requirements in the healthcare sector with you.

We advise

  • Pharmaceutical companies
  • Hospitals & clinics
  • E-health companies
  • Insurance companies
  • Health insurance funds
  • IT service providers
  • Research institutions

What legal challenges do our clients face and how can we successfully solve them?

The focus is on the necessary steps that our clients must take in order to ensure that patient data is handled in compliance with data protection regulations without having to sacrifice the opportunities which digitisation also offers in the healthcare sector.

We support you in the design of a data protection policy and the necessary IT contracts, ensuring legally compliant and sustainable solutions and enabling you to take care of your core activity.

The key question: Which rules are relevant to whom and how should they be implemented?

In the healthcare sector, there are a wide range of players: Hospitals, pharmaceutical companies, health insurance funds, research institutions, but also start-ups which develop products and services tailored to the healthcare market. In addition to the GDPR and the German Data Protection Act (BDSG), various special statutes which modify the provisions of the GDPR and the BDSG must therefore be observed. In addition, some legislative powers have remained with the federal states, so that state-specific regulations must also be taken into account (e.g. state hospital acts).

The key challenge, especially for new players, is therefore the identification of the relevant statutes and knowing how they interact with each other.

Outsourcing between professional secrecy and cost pressure

Should you wish to outsource individual processing activities in the healthcare sector, criminal liability will constantly hang over this like the sword of Damocles. The reason for this is Section 203 of the German Criminal Code, which criminalises the unauthorised disclosure of patient data and the fact that employees of the respective service provider regularly have the opportunity to access the communicated data.

However, cost-effective patient care is virtually impossible without outsourcing:

  • Server hosting
  • IT-supported billing systems
  • Archiving and destruction of files and data carriers
  • Remote maintenance of IT and medical technology

Moreover, difficulties often arise not only for the client, but also for the service provider when dealing with differentiated legislation. IT service providers specialising in hospitals, for example, must bear in mind that different rules may apply depending on their location or legal form. The same applies in the case of research institutions.

We support our clients in particular in the legally compliant drafting of processing contracts and confidentiality obligations.

Transfer of patient data to third parties only possible under stringent conditions

The mere possibility of inspection by employed persons within an organisation is subject to stringent conditions. Should hospitals and clinics wish or need to transfer patient data to third parties such as the public prosecutor’s office and police, the German Medical Review Board of the Statutory Health Insurance Funds (Medizinischen Dienst der Krankenkassen) or research institutions, they must be aware of the requirements associated with such a transfer. In principle, the transfer of sensitive health data to third parties is only permitted if the patient has expressly consented or there is a legal basis for the transfer. Of particular relevance here is Book 5 of the German Social Code (SGB V).

Are you unsure whether the requirements of a legal basis for data transfer are met? Do you not know how to deal with your patients’ data? What must be considered when transferring patient data between the doctor and the hospital or the clinic and the research institution?

We know the pitfalls and ensure legally sound solutions in the interests of our clients.

Designing IT contracts with particular precision

If individual processing activities involving healthcare data are to be outsourced or if regular maintenance of the systems is required, then the precise design of the contracts must be ensured, particularly at service level. Integrity, confidentiality and accessibility of data are of particular importance in the healthcare sector. Rapid response times, low failure rates and correct information may determine the success of a treatment or could even be life-saving. Only if adequate agreements are made and complied with can correct diagnoses be made and appropriate treatments administered.

We contractually ensure the basic principles of secure and, above all, reliable data processing at service level for our clients and for the benefit of data subjects.

The purpose limitation principle against a background of research exemptions

In principle, personal data may only be processed for the purpose for which it was originally collected (purpose limitation principle). Despite research exemptions, very strict legal requirements exist in the field of data processing for research purposes which are reflected in special statutes and some sector-specific national regulations.

The German Data Protection Act, for example, states that healthcare data which is to be processed for the purposes of scientific research must be anonymised wherever possible. However, a 2013 study showed that 4 to 5 blood sugar or cholesterol readings from around 60,000 patients are sufficient to allow unambiguous identification of affected individuals.

How, then, is this to be dealt with when anonymisation is not possible at all or is only possible with enormous loss of quality and the research project is still to be carried out? Under what conditions are research institutions allowed to share the data obtained with other scientists? What must be considered for third-party funding studies? May hospitals conduct research using their own patients’ data? How can legally compliant and transparent declarations of consent be created?

These are just a selection of the questions that our clients regularly ask themselves and for which we provide them with legally compliant solutions.

The data protection impact assessment as a continuous process

Due to the extensive processing of special categories of personal data in healthcare sector, data protection incidents are usually notifiable. Data protection impact assessments (DPIA) offer the opportunity to identify security breaches at an early stage and to implement adequate measures to increase data security.

In addition, it is not a one-off process, but a continuous process. Should the details of a corresponding data processing procedure change, it may be necessary to undertake a recheck.

What obligations must be fulfilled in the event of data breaches? How can the risk of a data breach be effectively mitigated? We carry out data protection impact assessments for our clients, document them, develop internal notification procedures and formulate templates so that you know what to do in an emergency.

Information platforms and mHealth as a challenge

The range of e-learning platforms is constantly growing. The healthcare sector is taking this as an example and sees an opportunity here to educate patients and relatives comprehensively and easily (e.g. via an app) about their diagnoses.

Numerous health insurance funds also offer incentives for the use of their own apps and the purchase of fitness wristbands, often without being aware of the data protection requirements in detail.

In addition to the ones already noted, clients must therefore ask themselves additional questions: Which technical and organisational measures (TOM) are to be taken? How do I encrypt communication channels in accordance with the law? How must corresponding IT contracts with service providers be structured?

Our data protection and IT legal experts have many years of experience in this field and will be happy to help you.

Patient requests are requests from data subjects

In the healthcare sector, the majority of requests from data subjects regarding data protection law are requests from patients. It is essential to continue the care offered in the course of treatment when responding to requests from data subjects against a background of high threats of fines.

What about requests from the patient’s parents or family members? What information may be released, what information must be provided? What statutory legislation is relevant?

We can answer your questions and help you to implement processes for answering requests from data subjects.

Other legal problem areas

  • The use of AI in the healthcare sector, in particular hospitals (e.g. Amazon’s voice assistant Alexa)
  • Telemedical care of patients
  • Right to data portability


Data protection and IT security begin in the waiting room with seemingly simple questions:  Is it permissible to call patients by name at all? How do I ensure that hospital patients are not accidentally mixed up without having to put name tags on beds? Seemingly simple questions, however, can have serious consequences. This is all the more true for more complex situations.

The following initial recommendations for action can be formulated

  • Critical review of transfer of patient data
  • Standards for outsourcing to be taken seriously
  • Monitor the development of new anonymisation technology
  • Implement detailed, easily understandable processes and train employees accordingly

Do you have any questions about healthcare? Our lawyers will be pleased to help you.


Subscribe to our monthly newsletter with information on judgments, professional articles and events (currently only in german).

By clicking on "Subscribe", you consent to receive our monthly newsletter (with information on judgments, professional articles and events) as well as to the aggregated usage analysis (measurement of the opening rate by means of pixels, measurement of clicks on links) in the e-mails. You will find an unsubscribe link in each newsletter and can use it to withdraw your consent. You can find more information in our privacy policy.