Germany: BfDI statement on Patient Data Protection Bill
The bill aims to provide digital solutions for patients while respecting their personal data, includes provisions on electronic patient data archiving (“ePA”) which will include sensitive personal data and is part of the wider project of digitisation in the German health sector. In this respect, the BfDI argued in its statement that the provisions on access management, which allow the insured to decide in a granular manner who is entitled to view parts of the ePA or the ePA as a whole, still need to be improved in order to be considered privacy-compliant. Furthermore, the Declaration suggests an alignment of the draft law with Regulation (EU) No. 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (“the eIDAS Regulation”), in order to ensure proper authentication procedures. Finally, the BfDI welcomes the fact that the security of the essential components of the telematics infrastructure is guaranteed by certificates issued by the Federal Office for Information Security (‘BSI’).