Belgian DPA clarifies the interaction between Belgian Patient's Rights Law and GDPR


In its decision of 6 July 2022, the Belgian Data Protection Authority (BDPA) has issued a reminder of the limits attached to the right of access and right to rectification of medical records. Available in Dutch, this decision also puts in perspective that the medical record is not primarily a collection of personal data; it is above all the physician’s work tool. We have set out below a summary of this decision and provided some key takeaways.


The subject matter of the complaint concerns the medical report drawn up in connection with the course of treatment followed by the plaintiff with the defendant. The treating psychologist refused to provide the plaintiff with a copy of the final report. As a result, he/she filed a complaint to the BDPA alleging that he/she was provided with an incomplete answer because his/her right to full access to the medical report was not granted or at least was very limited. He/she also indicated that he/she has exercised his/her right of access under the Regulation (EU) 2016/679 (GDPR), since in his/her opinion this right offers a broader protection than the right of access under (Article 9(2) of) the Belgian law of 22 August 2002 concerning the rights of the patient (“Patient’s Rights Law”).

In addition, the plaintiff stated that he/she had the right to be involved in the consultation and decision-making process of such a report and the right to inspect, correct and/or supplement, if necessary, delete or revoke such a report from all parties involved.

The BDPA ultimately decided to dismiss the complaint for the reasons expressed below.

Regarding the right of access

The BDPA found that the right of access in the Patient’s Rights Law is indeed more limited than the right of access under the GDPR. However, this right under the Patient’s Rights Law is in accordance with the GDPR, since the latter provides for the possibility to restrict the right of access in a European or national regulation that meets the conditions referred to in article 23 of the GDPR to protect the data subject or the rights and freedoms of others. After all, both the patient and the healthcare professional (HCP) must be protected.

The BDPA then recalled that the right to information and access (under the GDPR) and the right of access (under the Patient’s Rights Law) are not absolute. The limitation in the Patient’s Rights Law concerning the right to information and inspection is related to the fact that the information is not communicated, and access is not granted to the patient if this would cause “evidently serious harm to the patient’s health”. Ultimately the plaintiff was granted access but was denied access to the medical report in question.

As pointed out by the BDPA, it’s not the BDPA's role to intervene in the assessment of the treating psychologist to provide or not to provide a medical report to a patient. The HCP needs to judge this in the interest of the patient.

In this case, the HCP refused to provide the patient with the medical report. The right of access was thus limited (under the Patient’s Rights Law) with a view to protect the patient (in accordance with article 23(1), i) of the GDPR). This is expressly confirmed in (Article 9 of) the Patient’s Rights Law. The HCP is also protected by the limitation of the right of inspection since the HCP must be free to record his diagnosis and findings in the medical report.

Regarding the right to rectification

With regard to the plaintiff’s intention to exercise his/her right of rectification in respect of allegedly “erroneous assumptions and/or diagnoses" based on “substantive assertions that were partly erroneous”, the BDPA recalled that such a right is exercised in relation to a medical diagnosis made by the controller and of which the plaintiff is the object. In other words, the exercise of this right would be aimed at correcting the medical diagnosis in the relevant final report.

The BDPA considered that such a request was outside the scope of this right. Indeed, such a right is not intended to be able to challenge the accuracy of a medical diagnosis. That right could only be exercised in situations where, for example, mistakes occur in the file because of incorrect processing of personal data.

Once again, the BDPA recalled that the degree of accuracy of the medical diagnosis cannot be assessed by it, which means that it is therefore unable to order the controller to rectify the medical diagnosis.

Some key takeaways

  • The right to information and access (under the GDPR) and the right of access (under the Patient’s Rights Law) are not absolute.
  • Only a HCP is legally competent to examine a person’s health status and required to provide such information as may be necessary to understand the person’s health status.
  • In exceptional circumstances, the HCP may withhold information from the patient if disclosure of the information would clearly cause serious harm to the patient’s health (and if he/she has consulted another HCP). Apart from this exception, the principle remains that the patient must be fully informed, even if the prognosis is serious or fatal.
  • The BDPA is not qualified to intervene in the assessment of the treating psychologist to provide or not a medical report to a patient.
  • The BDPA does not have the competence to assess the veracity of medical diagnoses and, if necessary, to attach an order for their rectification.
  • The medical record is not simply a collection of the patient’s personal data, belonging to the patient. It is also - and probably, above all - the working tool of health professionals, allowing the pursuit of a most legitimate interest: continuity of care.

For more information on cybersecurity, contact your usual CMS advisor or local CMS experts. Did you know our tech & data practice is recognised as tier 1 (best-in-class) by Chambers and Legal 500?