Health data ranks among the most sensitive categories under GDPR. Healthcare professionals and facilities face heightened compliance obligations. We help you meet them in practice — and we represent patients whose data rights are not being respected.
GDPR classifies health data as a special category of personal data (Article 9). Processing is prohibited in principle, with only narrowly defined exceptions. For healthcare professionals and facilities, this means stricter obligations than in virtually any other sector.
And the consequences of non-compliance match the sensitivity: CNPD sanctions, loss of patient trust, reputational damage, even disciplinary proceedings before the Collège médical if the breach touches on professional secrecy.
Our conviction: GDPR compliance in healthcare cannot be handled by a generalist lawyer. It requires a precise understanding of medical realities, the deontological framework and Luxembourg's law of 24 July 2014 on patient rights and obligations. That is precisely the intersection of our existing GDPR expertise and our medical law practice.
You are a doctor, dentist, pharmacist, physiotherapist, psychologist, laboratory, clinic or care home. You process health data daily — patient records, test results, prescriptions, medical imaging, billing data linked to medical acts. We help you do so in compliance with GDPR and Luxembourg law, without paralysing your operations.
A comprehensive review of your health data processing activities. We identify gaps against GDPR requirements, assess concrete risks and prioritise the actions needed. You leave with a clear diagnosis and a realistic action plan.
In practice — Processing register, legal bases, retention periods, security measures, data flows, processors, DPIA where required.
We do not stop at the diagnosis. We draft and implement the documents and procedures you need: patient privacy notices, processor clauses, processing registers, procedures for handling patient data requests, data breach notification procedures.
In practice — Ready-to-use documents tailored to your organisation that your team can apply day to day.
Luxembourg's law of 24 July 2014 gives patients extensive rights of access to their medical records. GDPR adds the right to data portability and the right to erasure — with specific limitations in the medical field. We help you handle these requests correctly, within the legal 15-working-day deadline.
In practice — Response procedures, template letters, management of complex cases (personal annotations, third-party data, therapeutic exception).
A cyberattack, a file sent to the wrong recipient, unauthorised access: a health data breach is among the most serious incidents under GDPR. Notification to the CNPD within 72 hours, communication to affected patients, corrective measures. We prepare you in advance and assist you in real time if an incident occurs.
In practice — Breach management procedure, emergency assistance, drafting of notifications, coordination with the CNPD.
Your medical secretaries, assistants, nurses and technicians handle health data every day. Human error is the most common cause of data breaches. We train your teams on the right reflexes: what to share, with whom, how, and what to do when in doubt.
In practice — Training sessions tailored to your organisation, practical cases from the healthcare sector, reference materials.
Certain healthcare facilities are required to appoint a Data Protection Officer (DPO). We can fulfil this role externally or support your internal DPO on health data-specific questions.
In practice — External DPO engagement or targeted support for your DPO on healthcare issues.
Regulations evolve. So does your practice. For organisations that need regular follow-up, our Lawyer as a Service subscription includes GDPR monitoring within a comprehensive legal support package.
Luxembourg's law of 24 July 2014 and GDPR give you concrete rights over your health data. If those rights are not being respected, we can step in.
You have the right to consult your entire patient record and to obtain a copy (the first copy is free of charge). The healthcare professional has 15 working days to respond. If this right is refused or delayed without valid justification, we intervene to enforce it.
Your health data is protected by professional secrecy. If a healthcare professional, facility or third party has disclosed your medical information without your consent and outside the legal exceptions, you can take action. We assess your situation and support you through the available remedies.
Your health data has been used for unauthorised purposes, shared without a legal basis or retained beyond permitted periods. You can file a complaint with the CNPD and, if harm has resulted, seek compensation. We guide you through these steps.
The law of 24 July 2014 allows you to designate a trusted person and to express your wishes regarding your medical care. We help you formalise these choices in the required form.
GDPR requires a DPO for organisations that process health data on a large scale. A hospital or large laboratory is clearly subject to this obligation. For an individual or small medical practice, the requirement is not automatic, but the CNPD strongly recommends having a data protection point of contact. We assess your situation and advise on the best approach.
Not necessarily. Luxembourg's law of 24 July 2014 and Article 17 of GDPR provide that relevant medical record data cannot be deleted on simple patient request. You have retention obligations linked to continuity of care and your own legal protection. We help you formulate a compliant response that respects both the patient's rights and your legal obligations.
Three immediate priorities: contain the incident (isolate affected systems), assess the extent of the breach and prepare the notification to the CNPD within the 72-hour deadline. If the breach is likely to pose a high risk to your patients, you must also inform them. Call us immediately: we manage the emergency with you, from notification through to corrective measures.
This is an essential question that too few healthcare professionals ask. Your software provider is your processor under GDPR. You must have a contract compliant with Article 28, know where your patients' data is hosted and what security measures are in place. We audit this relationship and help you secure it.
The cost depends on the size of your organisation, the number of processing activities and your current compliance level. We work on a fixed-fee basis, quoted after an initial diagnostic. For organisations that want ongoing support, the Lawyer as a Service subscription integrates GDPR within comprehensive legal support.
Start by formalising your request in writing. The healthcare professional has 15 working days to respond. If the refusal persists without valid justification, you can refer the matter to the Health Mediation Service or file a complaint with the CNPD. We can support you through these steps.
You have access to your entire patient record, including test results, reports, prescriptions and medical correspondence. Only the practitioner's personal annotations (their reflective notes) and data provided by third parties may be withheld, provided they do not relate to your care or its continuity.
No. Your employer never has access to your detailed medical data. The occupational health physician provides only a fitness certificate, without diagnosis or medical detail. If you suspect unauthorised access to your health data, we can take action.
Healthcare professional looking to secure your practice, or patient whose data rights are not being respected — get in touch with our medical law practice. We respond within 24 hours.