DSK specifies requirements for data protection

In its resolution of June 16, 2025, the German Data Protection Conference (DSK) formulated specific data protection requirements for the legally compliant use of online appointment booking tools by medical practices - for example in a doctor's practice or physiotherapy or psychotherapy practice. The background to this is the increasing outsourcing of online appointment booking to external providers - a process that is regularly associated with the processing of sensitive personal data. The position paper clarifies when providers of online appointment bookings act as processors and when they act as independent controllers and how data protection can be complied with.

Provider relationships

Many medical practices integrate booking tools via their websites or apps. The DSK distinguishes between two basic models:

• Data processing on behalf: If the scheduling tool is used exclusively on behalf of the medical practice - for example by a technically integrated solution without a user account - this constitutes a data processing on behalf of the medical practice within the meaning of Art. 28 GDPR. In this case, the medical practice remains solely responsible.
• Independent Controller: Anders verhält es sich, wenn das Unternehmen eigene Patientenprofile oder Konten anbietet und dadurch selbstständig Daten erhebt oder verarbeitet. Dann agiert es als eigenständig Verantwortlicher mit entsprechenden Pflichten. In bestimmten Konstellationen kann es auch zu einer gemeinsamen Verantwortung von Praxis und Anbieter kommen.

The central requirement for both models is transparency: patients must be able to clearly recognize whether they are interacting with the medical practice or with an external provider. This applies to both the booking interface and the data protection information in accordance with Art. 13 GDPR.

Impact on the medical practice

The medical practice management is obliged to carefully examine the respective relationship with the provider. If the system is used as part of a data processing on behalf, a contract in accordance with Art. 28 GDPR is mandatory. For providers with their own user account and independent data processing, consent under data protection law pursuant to Art. 9 para. 2 lit. a GDPR is also required - if health data is involved. In the case of joint controllers within the meaning of Art. 26 GDPR, a corresponding joint controller agreement is also required.

Data minimization and transparency

The DSK particularly emphasizes the duty of data minimization. Information on medical conditions, diagnoses or other health data may only be requested if it is absolutely necessary for the selection of a suitable medical appointment. Otherwise, explicit, informed and voluntary consent is required. Mandatory fields for such information are not permitted.

Appointment reminder only with consent

The use of telephone numbers or email addresses for appointment reminders is also only permitted with explicit consent. Automated use without prior consent - for example because the data was provided anyway - is not permitted. In addition, such use may only serve as a reminder for appointments.

The design of the booking interface must also make it clear whether the patient is being redirected to an external provider. Seamless embedding, where this is not recognizable for patients, is problematic in terms of data protection law.

Data protection requirements for online appointment booking tools

A report published in 2023 by the non-profit initiative “Health Data Protection” analyzed various online appointment scheduling tools and came to critical conclusions. It criticized the fact that many services do not provide sufficiently transparent information about accountability and sometimes use advertising and tracking technologies, even though sensitive health data is processed. The report recommends consistently observing the GDPR and medical and psychotherapeutic confidentiality obligations when choosing a provider.

Impact on online appointment booking providers

Three providers in particular have established themselves on the market: Doctolib, Jameda and Dr-Flex. While Doctolib offers a comprehensive range of digital healthcare services, Jameda combines appointment booking with a rating portal. Dr-Flex, on the other hand, primarily offers technically integrable solutions for practice websites. In all cases, it must be clarified whether the processing is on behalf of a controller or whether it is a joint or independent controller.

The appointment service provided by the associations of statutory health insurance physicians (116117) plays a special role. This is based on Section 75 (1a) SGB V and is used to arrange appointments as required by law, for example with GPs, specialists and psychotherapists. Data processing is carried out by the relevant Association of Statutory Health Insurance Physicians - without advertising, tracking or third-party marketing. There is no provision for integration as with private-sector booking tools. Referrals are based on available capacities, not on individual appointment offers.

Technical and organizational measures

If personal data is processed via online appointment management systems, providers must implement technical and organizational measures in accordance with Art. 32 GDPR - such as encryption, access controls and secure authentication procedures. If there is extensive processing of health data, a data protection impact assessment is required.

Medical confidentiality

There are also clear requirements under professional law: Medical and psychotherapeutic confidentiality in accordance with Section 203 of the German Criminal Code (StGB) prohibits unauthorized access to patient data. Appointment management companies may only process health data if the person concerned has given their express consent. In addition, all employees must be bound to confidentiality.

C5 attestation?

Please note in particular: According to Section 393 SGB V, providers of cloud-based systems for the processing of health or social data must obtain a C5 certificate (type 1) from July 2024 and a C5 certificate (type 2) from July 2025.

Summary

The resolution of the Data Protection Conference provides important guidance for the legally compliant use of digital appointment booking solutions. Practices must legally classify the roles of the providers involved, provide data protection-compliant information and obtain consent correctly. The following applies: health data may only be processed with a legal basis or explicit consent.

Providers of digital appointment management systems are subject to extensive obligations in terms of transparency, data security and purpose limitation, especially in the case of independent data processing. Only those who meet these requirements can contribute to the trustworthy digitalization of the healthcare system.

We support both healthcare professionals and providers of appointment management tools as lawyers and External data protection officer in ensuring that appointment booking complies with data protection regulations and is legally compliant - from selecting suitable systems and checking provider roles to drafting consents, DP contracts and information obligations.

Quellen:

• DSK Decision of June 16, 2025: Data protection in the appointment management by medical practices
• GMDS, BvD, DVD, GDD & FFD (Hrsg.) – Practical guide “Dealing with online appointment management systems”