Right to Copy of Medical Records Free of Charge According to Article 15 (3) Sentence 1 of the GDPR vs. Mandatory Reimbursement of Costs by Patient under National Law
Erik Hahn
Profilo Orcid 
Pubblicato online: 30 set 2022
Pagine: 39 - 50
DOI: https://doi.org/10.25143/socr.23.2022.2.039-050
Parole chiave
© 2022 Erik Hahn, published by Sciendo
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
On May 25th 2018, the Regulation (EU) 2016/679 (known by the abbreviation GDPR), adopted in April 2016, superseded the former Data Protection Directive 95/46/EC and came into force. Article 15 (3) sentence 1 of the GDPR contains the obligation of the controller (i.e. the responsible person) to provide a copy of the personal data undergoing processing to the data subject. Just for any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs in accordance with Art. 15 (3) sentence 2 of the GDPR. Possibly deviating from this, some provisions of the EU Member States (e.g. in Austria and Germany) include the patient’s general obligation to pay for the cost of copies of their medical record. This leads to the question of the relationship between these national provisions and the EU law.
Both the ranking of the two levels of regulation and the possible deviations contained in the GDPR must be discussed here. At this point, the conceptual difference between the “duplicates of the medical records” according to Section 630g (2) sentence 1 of the BGB and the “copy of the personal data undergoing processing” according to Art. 15 (3) sentence 1 of the GDPR must also be considered. The fact that the German Federal Court of Justice (2022) recently submitted these questions to the ECJ for a preliminary decision offers a timely occasion to discuss these questions.
With the German Patient Rights Act from 2013 (German Federal Law Gazette I, 2013), the legislature has expressly enshrined a patient’s right to inspect their own medical record in the German Civil Code (BGB). Long before that, the German Federal Constitutional Court and the German Federal Court of Justice had already derived such a right to inspect medical records from the principle of human dignity and the general right to self-determination according to Art. 1 (1) in conjunction with Art. 2 (1) of the Basic Law for the Federal Republic of Germany.
Section 630g (1) & (2) of the BGB (Inspection of the medical records):
“
According to Section 630g (1) sentence 1 of the BGB “the patient is […] to be permitted to inspect the complete medical records concerning him/her without delay to the extent that there are no considerable therapeutic grounds or third-party rights at stake to warrant objections to inspection”. This basic statement is supplemented by the right to “electronic duplicates of the medical records” according to Section 630g (2) sentence 1 of the BGB. The emphasis on the electronic form contained therein was only included in the text in the course of the legislative process (German Bundestag’s documents, 17/10488) and
Based on the German civil law basic rule for the presentation of documents in Section 811 (1) sentence 2 of the BGB (German Bundestag’s documents, 17/10488) the patient must pay the treating person according to Section 630g (2) sentence 2 of the BGB reimbursement for requested copies. The same principle applies to the professional law by the Chambers of Physicians according to Art. 10 (2) sentence 2 of the (Model) Professional Code for Physicians in Germany. According to this, “
On the one hand, this can result in considerable costs for the patient and thus in individual cases can influence their decision to request copies. On the other hand, the obligation to bear the costs protects the physician from a considerable and at the same time free use of their resources by the patient, which goes beyond the general civil law obligation to enable inspection of documents according to Section 810–811 of the BGB. Compared to the general German data protection law under the former Federal Data Protection Act (before the GDPR came into force), the Higher Regional Court Hamm, for example, gave priority to the special claim according to Section 630g of the BGB. Thus, the principle under the data protection law that information should be free of charge according to Section 34 (8) sentence 1 of the former German Federal Data Protection Act was superseded if the patient wanted to inspect their medical record.
The GDPR also contains rules on the right to information about personal data. These regulations can contradict national regulations; nevertheless, they have a fundamental application priority (European Court of Justice, 1964). This results from the direct anchoring of the right to information in Art. 15 of the GDPR and the associated conversion of the previous regulations of national data protection law into directly binding (Article 288 (2) of the TFEU) EU secondary legislation.
In accordance with Art. 15 (1) of the GDPR, the data subject has the right to request a confirmation from the controller as to whether personal data relating to them are being processed. If this is the case, such person also has the right to information about the data according to Art. 15 (1) of the GDPR. According to the relevant recital No. 63 sentence 2 of the GDPR, this right expressly “
Compliant with Art. 4 No. 1 of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This is worded very broadly and is intended to provide comprehensive protection for the data subject.
The same also applies to the concept of processing data according to Art. 4 No. 2 of the GDPR. In this context processing “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
In an information paper on the requirements for data protection in the practice of medicine, the German Medical Association pointed out that a fundamental distinction must be made between a right to information under the EU data protection law and the patient’s right to inspect their medical record (German Federal Medical Association, 2018). On closer inspection, however, it becomes clear that the patient’s wish to have access to their medical record may fulfil both criteria simultaneously. Therefore, both regulations (Sec. 630 (2) sentence 1 of the BGB and Art. 15 (3) sentence 1 of the GDPR) grant the patient’s right to receive copies from their medical data. Deviating from Sec. 630g (2) sentence 2 of the BGB, the claim from the GDPR is not linked to the patient’s obligation to bear the costs. This becomes particularly clear in Art. 15 (3) sentence 2 of the GDPR, according to which the “
In accordance with Art. 12 (5) sentence 2 of the GDPR, the situation is different only for manifestly unfounded or excessive requests from the data subject, in particular because of their repetitive character. For this reason, the obligation to bear the costs already for the first copy under Sec. 630g (2) sentence 2 of the BGB seems to be superseded by the higher-ranked order (Walter/Strobl, 2018) according to Art. 15 (3) sentence 1 in conjunction with Art. 12 (5) sentence 1 of the GDPR. This priority has now also been confirmed by some German courts of lower instance (Dresden District Court, 2020).
For a number of years, there has been a discussion in the legal literature (Bayer, 2018; Hahn, 2019; Hartwig & Schäker, 2020; Walter & Strobl, 2018) as to whether Sec. 630g (2) sentence 2 of the BGB anchored obligation to bear costs is a permissible national deviation within the meaning of Art. 23 (1) of the GDPR. In a decision from 2020, the Austrian Supreme Court of Justice assumed that a comparable Austrian regulation on the obligation to bear costs falls under the possibility of limitation according to Art. 23 (1) lit. e of the GDPR. In accordance with Art. 23 (1) lit. e of the GDPR, the Member State law, which the data controller or processor is subject to, may restrict by way of a legislative measure the scope of the obligations and rights provided for in Art. 12 to 22 and Art. 34 of the GDPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard a Member State’s financial interests, including public health and social security. However, in this case a submission by the Austrian Supreme Court of Justice to the ECJ was not made (2020).
Sec. 17a (1) & (2) lit. g of the Vienna Hospital Act 1987 (unofficial translation):
In Germany, on the other hand, there has not yet been a decision by a Federal Court about the relationship between Sec. 630g (2) sentence 2 of the BGB and Art. 15 (3) sentence 1 in conjunction with Art. 12 (5) of the GDPR. Nevertheless, now such a legal dispute has reached the German Federal Court of Justice. This lawsuit concerns a patient’s claim against their dentist for a free copy of all of their medical record held by the defendant. In this way, the plaintiff wants to receive the necessary documents to examine possible claims for damages due to an alleged incorrect treatment. The defendant believes that they only have to provide a (full) copy of the patient’s record in return for reimbursement of costs.
In 2022, the German Federal Court of Justice has suspended the proceedings and submitted them to the ECJ for a preliminary ruling on the scope and possible exceptions to the right to information in accordance with Art. 15 of the GDPR. First, the German Federal Court would like to know whether Art. 15 (3) sentence 1 in conjunction with Art. 12 (5) sentence 2 of the GDPR should be interpreted so that a request for a copy of the medical record is “excessive” if the copy is not requested for data protection purposes mentioned in recital 63 of the GDPR but serves to assert claims for damages against the physician. Secondly, the Court asks the ECJ to decide whether the obligations and rights resulting from Art. 15 (3) sentence 1 in conjunction with Art. 12 (5) of the GDPR can be restricted in accordance with Art. 23 (1) lit. i of the GDPR by a national regulation that (1) was enacted before the GDPR came into force and (2) that always and independently of the specific circumstances of the individual case provides a reimbursement claim by the physician against the patient if a copy of the patient’s personal data from the patient’s record is handed over by the physician. In addition, the German Federal Court of Justice would like to know whether Art. 23 (1) lit. i of the GDPR is to be interpreted in such a way that the “rights and freedoms of other persons” mentioned there also include their interest in the reimbursement of the costs for issuing a copy of the data in accordance with Art. 15 (3) sentence 1 of the GDPR and other costs for the provision of the copy.
In contrast to the argumentation of the Austrian Supreme Court of Justice from 2020, the alternative reason for a restriction, “financial interests, including public health and social security”, according to Art. 23 (1) lit. e of the GDPR was not addressed at all in the German referral decision. On the one hand, this could be due to the respective national financing structure of the health care system. On the other hand, an obligation to bear the costs for copies of medical records based solely on “
It would be conceivable to restrict the claim from Art. 15 (3) sentence 1 of the GDPR according to Art. 12 (5) sentence 2 of the GDPR with the argument that the patient does not want to receive the copy for any data protection purposes, but to prepare for a claim for damages against the physician This consideration could be based on the fact that, in the case of excessive requests, the persons obliged to provide information may demand a reasonable fee, considering the administrative costs for providing the information or notification or taking the requested measure, in accordance with Art. 12 (5) sentence 2 lit. a of the GDPR.
Two approaches are conceivable for this route. Primarily, it is conceivable that recital 63 sentence 1 of the GDPR should be viewed as a restriction of the right to information under Art. 15 (3) sentence 1 of the GDPR. Recital 63 sentence 1 of the GDPR states that a data subject should have the right of access to personal data which have been collected concerning them, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. One could deduce from this that a request for copies in order to prepare a claim for damages is not covered by the protective purpose of Art. 15 (3) sentence 1 of the GDPR. A similar argument was recently used by the Regional Social Court of North Rhine-Westphalia (2021) for the relationship between Art. 15 (3) of the GDPR and the granting of procedural file inspection in the form of a right to free delivery of a CD-ROM with all administrative processes requested by the plaintiff. However, what speaks against this view is that the wording of Art. 15 (3) sentence 1 of the GDPR itself does not contain any such restriction of the motivation for the request (German Federal Court of Justice, 2022).
Purpose of the right to information (recital 63 sentence 1 of the GDPR: creating awareness of data processing and the possibility of checking legality) can also be achieved if the request is motivated by another intention (German Federal Court of Justice, 2022). Therefore, it does not matter for what purpose the right to information is asserted against the treating physician (Balke, 2022).
Another approach to excluding the right to a free copy of the medical record from Art. 15 (3) sentence 1 of the GDPR could be based on the fact that the patient’s request could be assessed as an “abusive practice”. “It is settled case-law that there is, in the EU law, a general legal principle that the EU law cannot be relied on for abusive or fraudulent ends” (ECJ, 2019, 2018, 2017).
However, the above statements on the scope of the claim from Art. 15 (3) sentence 1 of the GDPR would also argue against such an argument. It should also be considered that the patient has a right to information about any treatment errors acc. to German treatment contract law in accordance with Sec. 630c (2) sentence 2 of the BGB: “If circumstances are recognisable for the treating party which give rise to the presumption of malpractice, they [the physician] shall inform the patient thereof on request or in order to avert health risks.” It, therefore, seems doubtful to consider the motivation of a patient who requests copies in order to assert a right to information to which he is entitled under national law to be an abuse of Union law only because, contrary to national law, access to copies is granted free of charge.
An obligation for the patient to bear the costs of the copy also cannot be justified by Art. 15 (4) of the GDPR. Thereafter, the right to obtain a copy referred to Art. 15 (3) of the GDPR “shall not adversely affect the rights and freedoms of others”. However, the restriction does not relate to the question of the cost burden, but to the content of the data and the unreasonableness of the copy transmission itself (Hahn, 2019). This understanding is supported by the fact that recital 63 sentence 5 of the GDPR mentions “trade secrets or intellectual property and in particular the copyright protecting the software”, as an example (Walter & Strobl, 2018).
It is arguable whether Art. 23 of the GDPR also covers such regulations from the national law of the member states that already existed when the GDPR came into force. If this is not the case, neither Sec. 630g (2) sentence 2 of the BGB from 2013 nor Sec. 17a (1) & (2) lit. g of the Vienna Hospital Act 1987 would be a suitable basis for a restriction of the obligations and rights provided for in Articles 12 to 22 and Article 34 of the GDPR. Especially the fact that Art. 23 of the GDPR requires an examination of proportionality by the national legislature could speak against an application of the deviation option to older regulations originating from the time before the GDPR came into force.
With a view to a need for a proportionality test, the Austrian Supreme Court of Justice (2020) also overturned the decision of the lower court and referred it back for retrial. However, the Supreme Court of Justice related the proportionality test solely to the statutory provision itself and not to whether the national legislature carried out such a proportionality test when this provision was issued. The question of whether Art. 23 of the GDPR also covers older regulations as stated was not discussed the by the Austrian Supreme Court of Justice at all. Rather, this result was simply subordinated by their substantive discussion with Sec. 17a (1) and (2) lit. g of the Vienna Hospital Act 1987 in the decision. The German Federal Court of Justice (2022), on the other hand, did not take this point for granted and therefore submitted it to the ECJ as a question.
The wording of Art. 23 of the GDPR does not exclude its applicability for Sec. 630g (2) sentence 2 of the BGB from 2013 or Sec. 17a (1) and (2) lit. g of the Vienna Hospital Act 1987 and comparable older national regulations. However, a sufficient proportionality test by the legislature within the meaning of Art. 23 of the GDPR could prevent the fact that at the time of enactment of Sec. 630g (2) sentence 2 of the BGB in 2013 the Directive 95/46/EC “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” (the precursor to GDPR) was still in force.
Article 12 lit. a of this Directive included the principle that when a right to information was asserted, only an obligation to bear “excessive expense” was excluded, but there was no provision for complete freedom from costs. Due to the “new” complete freedom from charge according to the GDPRs since 2018, the physician who is obliged to provide information is now more heavily burdened. These circumstances could not be fully taken into account in 2013. However, it must be considered that the right to information from Sec. 630g (2) of the BGB is the codification of a principle that case law developed directly from fundamental rights.
The German legislator also explicitly emphasised the constitutional connection of the provision in the explanatory memorandum to the law (German Bundestag’s documents 17/10488). Since it has linked the right to copies of the medical record in the German codification to an obligation to reimburse costs, it can be assumed that sufficient balancing of the fundamental rights and freedoms of the patient with the interests of the person obliged to provide information has been carried out (German Federal Court of Justice, 2022). On the other hand, a balancing decision by the national legislature can also be seen in the fact that the obligation for the patient to bear the costs was not changed in the national (German) GDPR Amendment Act (Gruner, 2021). Ultimately, this is a case of regulation by non-regulation. Under these conditions, Art. 23 of the GDPR should also allow restrictions through older national laws in principle.
Section 630g (2) sentence 2 of the BGB could be a restriction permitted under the EU law within the meaning of Art. 23 (1) lit. i of the GDPR. For this purpose, the national regulations must serve to protect the data subject or the rights and freedoms of others. On the one hand, it is already debatable whether the term “other person” also includes the controller itself within the meaning of Art. 4 No. 7 of the GDPR (Johannes & Richter, 2017). Ultimately, this would considerably expand the possibility for national legislators to limit the obligations under the GDPR (Johannes & Richter, 2017).
On the other hand, it is doubtful whether the rule stated in Sec. 630g (2) sentence 2 of the BGB that the patient has to bear the costs is a “necessary and proportionate” restriction of the Union law principle of freedom from costs to protect the “data subject or the rights and freedoms of others”. Firstly, there is the fact that Section 630g (2) sentence 2 of the BGB does not contain any differentiation according to the circumstances of the individual case. Considering the German regulation, the patient would ultimately have to bear the costs even if the burden associated with being free of charge was actually reasonable for the treating side. It is not apparent why exactly the opposite of Art. 15 (3) sentence 1 of the GDPR, regulated in Sec. 630g (2) sentence 2 of the BGB, would be more appropriate and better suited to protect the rights and freedoms concerned (Gruner, 2021).
Secondly, it can be assumed that the European legislature had in mind the economic burdens associated with the patient’s right to a free copy when enacting Art. 15 (3) of the GDPR (German Federal Court of Justice, 2022). The European legislature obviously did not classify this as fundamentally inappropriate. This understanding is also supported by the fact that recital 63 sentence 2 of the GDPR explicitly mentions “data in the [...] medical records” (Walter & Strobl, 2018; German Federal Court of Justice, 2022) in this context.
Thus, it can be assumed that Art. 23 (1) lit. i of the GDPR does allow national deviations with regard to a patient’s obligation to bear the costs for the first copy in principle (Walter & Strobl, 2018). However, a blanket transfer to the patient side, as is currently provided for in German law, is not suitable to fulfil these requirements (Walter & Strobl, 2018).
The final and, according to the view represented here, the most promising possibility of restricting the right to a free “copy of the (full) medical record” under the GDPR can be derived from the wording of Art. 15 (3) sentence 1 of the GDPR. Sec. 630g (2) sentence 1 of the BGB which expressly grants a patient’s right to “duplicates of the medical records”. In contrast, the controller shall provide a “copy of the personal data undergoing processing” according to Art. 15 (3) sentence 1 of the GDPR. From this difference in wording, it can be deduced that the right to a data copy under the EU law only extends to the entire medical record if this is necessary for the fulfilment of the obligations under Art. 15 (3) sentence 1 of the GDPR (Gruner, 2021; Piltz & Zwerschke, 2021; Bayer, 2018). Otherwise, the physician (controller) already fulfils their duty by simply copying the data. However, due to the broad understanding of the term “personal data” according to Art. 4 No. 7 of the GDPR, this should also be very extensive in practice.
The forthcoming decision of the ECJ on the relationship between Art. 15 (3) of the GDPR and the patient’s obligation to bear the costs for a copy of the medical record under national law is eagerly awaited. The submission by the German Federal Court of Justice gives the ECJ the opportunity to clarify a large number of legal issues in the context of Articles 12, 15 and 23 of the GDPR. Although the decision will be based on German law as an example, its justification will also be important for the legal systems of other EU member states.
However, since the questions referred by the Federal Court of Justice are interdependent, it is possible that the ECJ cannot answer some questions because they are excluded by the answer to a preliminary question. This concerns in particular the suitability of Sec. 630g (2) sentence 2 of the BGB as a restriction within the meaning of Art. 23 (1) lit. i of the GDPR. Should the ECJ affirm this differently than represented here, the scope of the term “copy of the personal data” according to Art. 15 (3) sentence 1 of the GDPR is no longer relevant in the context of German medical records. In any case, it is to be hoped that the ECJ will create far-reaching clarity for legal practice with its decision on the obligation to bear costs, so that physicians and hospitals can deal with the corresponding claims of patients more securely in the future.