There has been much discussion in recent weeks about whether doctors are still allowed to call their patients by their names. Many media and also alleged GDPR experts saw here a offence against the data security basic regulation (GDPR). But does this opinion also correspond to the facts?
GDPR scope of application
Does the GDPR cover this area at all? Doctors must certainly adhere to the principles of the GDPR. Since medical data is regarded as particularly worthy of protection according to GDPR article 4, paragraph 15, physicians are subject to a special duty of care when handling personal data.
The basic data protection regulation does not cover all areas, but is limited to the following areas according to GDPR article 2 paragraph 1.
The storage of personal data in a medical record is legitimised by GDPR article 6 paragraph 1 and is explicitly required by the legislator through the documentation obligations. This processing is therefore undisputed. Calling patients, on the other hand, can be regarded as processing in the sense of the GDPR, but since the call is not automated, it would only be inadmissible if it were or is to be stored in a “file system”. Since a waiting room certainly cannot be regarded as a file system, the GDPR does not apply in this case.
GDPR Processing of personal data
Contrary to popular belief, the processing of personal data is permitted in several cases. GDPR article 6 defines several exceptions that allow processing. The main processing grounds for doctors are defined in article 6 paragraph 1.
If the patient concerned has given his consent to the processing, it is permissible. The receptionist can therefore obtain the patient’s verbal consent to be called by name.
The naming of the patient by a doctor or a doctor’s assistant can be regarded as part of the contract between the doctor and the patient. A system with waiting numbers would also be possible, but it can be assumed that patients do not want to be “just any number”.
If it is important to you not to be called by name, you can deposit this at the registration.
The fact that doctors are no longer allowed to call their patients by name must be regarded as a myth. In fact, the GDPR does not apply in this case. If the scope of the GDPR is changed in the future, the call is further covered by corresponding exceptions.
This case shows once again that the DSGVO is a complex matter. The regulation puts data protection in the foreground, but the influence does not apply to all areas of life. Without external support, most companies find it difficult to cope with the scope of the DSGVO. With the help of this software, companies of all sizes (from sole proprietors to corporations) can quickly and easily take the necessary steps to meet the requirements of the DSGVO with pinpoint accuracy. With easyGDPR, you are guided step-by-step through the process. So you can create the required DSGVO processing directory without prior knowledge. Furthermore, you will be shown all the necessary measures to bring your company into compliance with the basic data protection regulation. You benefit from our many years of experience and proven expert knowledge.