There has been much discussion in recent weeks about whether doctors should still be allowed to call their patients by name. Many media and also supposed GDPR experts saw this as a violation of the General Data Protection Regulation (GDPR). But does this opinion correspond to the facts?
GDPR scope of application
Does the GDPR cover this area at all? For sure, doctors have to comply with the principles of the GDPR. Since medical data is considered to be particularly worthy of protection according to GDPR Article 4 Paragraph 15, physicians are thus subject to a special duty of care when handling personal data.
The General Data Protection Regulation does not cover all areas, but is limited to the following areas, according to GDPR Article 2 Paragraph 1:
This Regulation shall apply to the wholly or partly automated processing processing of personal data as well as to the non-automated processing of personal data stored in a file system are stored or are to be stored.
The storage of personal data in a medical record is legitimized by GDPR Article 6 Paragraph 1 and is explicitly required by law through documentation obligations. Therefore, this processing is indisputable. Calling up patients, on the other hand, can be regarded as processing within the meaning of the GDPR, but since the call is not automated, this would only be inadmissible if storage in a “file system” takes place or is to take place. Since a waiting room is certainly not to be considered a file system, the GDPR therefore does not apply to this case.
DSGVO Processing of personal data
Contrary to popular belief, the processing of personal data is permissible in several cases. GDPR Article 6 defines several exceptions which allow processing. The main processing grounds for physicians are defined in paragraph 1.
Consent granted
If the patient concerned has given his consent to the processing, it is permissible. The receptionist can thus obtain the patient’s verbal consent to be called by name.
Order fulfillment
Calling by name by the physician or receptionist can be considered part of the contract between the physician and the patient. Although a system with waiting numbers would also be possible, it may be assumed that patients do not want to be “just any number”.
If it is important to you not to be called by name, you can leave your name at the registration.
Conclusion
The fact that physicians are no longer allowed to call their patients by name should be considered a myth. In fact, the GDPR does not apply in this case. If the scope of the GDPR is changed in the future, the call will continue to be covered by appropriate exceptions.
This case shows once again that the GDPR is a complex matter. The regulation puts data protection in the foreground, but the influence does not apply to all areas of life. Without external support, most companies will find it difficult to cope with the scope of the GDPR. Remedy easyGDPR – with the help of this software, companies of all sizes (from sole proprietors to corporations) can quickly and easily take the necessary steps to meet the requirements of the GDPR with pinpoint accuracy. With easyGDPR you are guided step-by-step through the process. This allows you to create the required GDPR processing directory without any prior knowledge. Furthermore, you will be shown all necessary measures to bring your company in line with the General Data Protection Regulation. You benefit from our many years of experience and proven expert knowledge.