GDPR documentation for a healthcare provider

Every healthcare provider falls under the GDPR regulation.

A healthcare provider, like any other legal entity (e.g., LLC, joint-stock company, foundation, association, municipality, etc.), is considered a “data controller” according to Article 4, point 7 of the GDPR. A data controller is defined as “a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data.”

If certain data is processed without the patient’s consent, it does not mean that the GDPR does not apply. Instead, it means that the data may be processed on a legal basis other than consent (the GDPR outlines five other legal bases for processing).

According to the GDPR and Act No. 18/2018 Coll. on the protection of personal data, it is not mandatory for general terms and conditions to include provisions related to data protection (i.e., provisions concerning rights and obligations under the GDPR and Act No. 18/2018 Coll. on personal data protection). However, it is standard to include such provisions in the Terms and Conditions, and we would recommend this approach as well.

From the perspective of personal data protection, the Terms and Conditions (VOP) contain provisions that fulfill the so-called information obligation under Articles 13 and 14 of the GDPR. This information obligation can be incorporated into the Terms and Conditions (so the patient will be informed about data protection as part of the VOP), but it is also possible to fulfill this obligation in other ways. For example, you can provide the information about personal data processing on a separate document, which the client, with whom you plan to enter into a contract, will acknowledge by signing, confirming that they have been informed. Generally, signing either a separate document for the information obligation or a contract referencing the VOP is not mandatory to fulfill the information obligation, but it is practical in case you need to prove compliance with the obligation in the future. Another option is to incorporate a web link in the VOP to the full text of the information obligation, which would be published on your website. In case of an inspection, you would need to demonstrate that the patient had access to this information at the time the service was provided (i.e., it was published, and the patient was notified in the VOP).

In general, when collecting personal data from a client – a natural person, the client must be informed about how their personal data will be processed. It is also important to be able to demonstrate to the supervisory authority that you have fulfilled your information obligation towards the client.

From this perspective, it is advisable for the information obligation to be directly included in the VOP, so that by signing the contract, which includes the VOP, the client simultaneously confirms that they have been informed about the information obligation and that the information has been provided to them.