Right to be Forgotten

Medical record under GDPR

Since 25 May 2018, the right to be forgotten gdpr (GDPR) has been in force for the entire European Union. This law regulates how companies and organizations process your personal data and replaces the Personal Data Protection Act (WFP).

The GDPR strengthens privacy rights and creates more obligations for organizations when processing personal data. What does the GDPR mean for the rights surrounding the medical file?

Right of access

The right to access your medical file does not change under the GDPR. As under the Wbp, you as a patient have the right to inspect your medical file. Except for the personal work notes of the healthcare provider.

The doctor may only refuse access if the privacy of someone other than the patient is harmed by inspection. The doctor must then demonstrate that the privacy of the other person in this case outweighs the interests of the patient.

No costs

A new feature under the GDPR is that the healthcare provider may in principle no longer charge costs for a copy of the medical file. Only if the patient’s request is ‘unfounded or excessive’ may the healthcare provider charge a reasonable fee. For example, with multiple requests or extra copies. The healthcare provider may also refuse the request. Personal work notes of healthcare providers do not fall within the patient’s right of access.

Data portability

A new right under the GDPR is the right to data portability. This means that people have the right to take personal data with them to another (care) provider. This partly applies to the medical file. Personal data that a patient provides actively or consciously, falls under the right to data portability.

This also applies to data that the patient provides indirectly through the use of a service or device. Think of data via a pacemaker or blood pressure monitor. But a doctor’s conclusions, diagnoses, suspicions or treatment plans based on that data are not.

Also read: right to be forgotten process


Another new right under the GDPR is the right to be forgotten. This is the right to be forgotten. The GDPR provides scope for national legislation in this regard. As a result, the right to be forgotten does not, in principle, apply to medical records.

In the Netherlands, the Medical Treatment Agreement Act (Igbo) applies, which shows that a medical file must be kept for 20 years. As mentioned, you may ask the healthcare provider to destroy your data earlier. He must listen to this, unless there are rules (as mentioned earlier) that stipulate that the data must be kept.

What is in a medical record?

According to the KNMG (Royal Dutch Society for the Promotion of Medicine) the following health information should in any case be included in a medical file:

  • Information about the medical treatments.
  • Important data for the continuity of care.
  • Personal data.
  • Written advance directives.


A medical file does not belong to anyone, but the doctor is the administrator. In principle, relatives have no right to inspect the file of a deceased. Medical professional secrecy also applies after death. But in practice, the doctor often gives permission to a bereaved person who had a good relationship with the deceased. 


In addition to prescription medicines, the use of over-the-counter medicines must also be included in the medical file. These are medicines that can be obtained without a prescription. Doctors and pharmacies should regularly ask about this. But it is also wise to pass on the medication yourself. This is important, because a medicine can, for example, work less well if you also take other substances.

Also read:

  • Information from the KNMG about the medical file (professional secrecy) .

Services of the Consumers’ Association

We offer the following services to help with almost all consumer problems. In the case of complaints about the right to inspect a medical file, the assistance required may be slightly different. 

Also read: Right to be Forgotten Meaning