Article 9 GDPR: How to Treat Health Data on Websites

A medical practice offers a contact form and asks visitors to describe symptoms. A psychotherapy practice asks for a short description of the situation. A pharmacy accepts online questions about medication. In cases like these, the website is no longer dealing only with names and email addresses. It may be dealing with health data under Article 9 GDPR.

What the Paragraph Regulates

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

Article 9 GDPR starts with a prohibition. Certain data are so sensitive that they cannot be treated like ordinary contact or address data. Health data are part of this category. They can be direct details, such as a diagnosis, medication, treatment, therapy request or medical report. They can also be indirect details if they allow conclusions about someone’s health.

Article 9 GDPR does not replace Article 6 GDPR. The German Data Protection Conference explains that processing special categories of data generally needs both: a legal basis under Article 6 GDPR and an additional exception under Article 9(2) GDPR. For normal readers, this means that a health-related contact form is not just a longer version of a normal contact form.

The GDPR contains exceptions to the prohibition. These include explicit consent, medical diagnosis, health care, social care, public interest in the area of public health and scientific research. Which exception may fit depends strongly on the purpose, the controller and the safeguards in place.

Who Is Affected

Article 9 GDPR becomes relevant whenever a website collects, transmits or structures information that may have a health connection. For our typical customer groups, this mainly affects these areas:

• Medical practices, dental practices, family doctor practices and veterinary practices - for example with appointment requests that include symptoms, prescription requests, report uploads or pre-visit medical history forms. See our notes on a website for medical practices, a dental practice website, a website for family doctor practices and a website for veterinary practices.
• Psychotherapy, physiotherapy, occupational therapy and naturopathy practices - for example with first-contact forms, complaints, therapy goals or sensitive free-text fields. Details are available on the website for psychotherapy practices, the website for physiotherapy practices, the website for occupational therapy practices and the website for naturopathy practices.
• Pharmacies and health-related retailers - for example with medication questions, reservations, advice about symptoms or contact paths for sensitive products. More context is available on the website for pharmacies.

Not every website in these industries automatically processes health data. A static page with a phone number, opening hours and general text is different from a form that asks for symptoms, diagnoses or files. The concrete function is decisive.

Typical Use Cases

For medical and dental practices, the threshold is reached quickly. A field labelled “your message” can be harmless if visitors only ask about opening hours. It can contain health data as soon as people describe symptoms, medication, reports or treatment wishes. A website should therefore avoid encouraging visitors to enter sensitive details into a general form.

Family doctor practices often add prescription and referral requests. The information that a specific person needs a specific medication can already have a health connection. For a simple website, a clear and data-minimising contact path is often better than a broad medical form that collects everything directly on the website.

Psychotherapy practices and naturopathy practices often deal with sensitive life situations. A first-contact form can quickly include information about psychological stress, diagnoses, family circumstances or therapy goals. Restraint matters here. The website can explain how first contact works without collecting every detail in the form.

For physiotherapy and occupational therapy, typical details include complaints, medical prescriptions, accident consequences or everyday limitations. These are not ordinary service details. A form that only asks for a callback is less intrusive than a form that asks for a diagnosis, a prescription photo and a detailed medical history.

Pharmacies have a different focus. They sell and advise, but they still operate in a sensitive environment. A question about product availability may be ordinary. A question about medication, pregnancy, chronic symptoms or interactions can very quickly touch health data.

Exceptions and De Minimis Rules

Article 9 GDPR does not contain a simple de minimis rule such as “a little health connection does not matter”. The practical difference is whether health data are processed at all, whether the processing is necessary and which exception under Article 9(2) GDPR may apply.

Explicit consent is often the first idea. It can matter, but it is not a universal solution. It must be informed, freely given, specific and demonstrable. The first question remains whether the website needs to collect the data at all. Data protection starts with the decision which fields exist, not with the checkbox.

For health care, Article 9(2)(h) GDPR can be relevant. In Germany, § 22 BDSG complements this framework and refers to preventive health care, medical diagnosis, care or treatment in the health or social sector. At the same time, § 22 BDSG requires appropriate and specific safeguards, such as access limitations, encryption, pseudonymisation or procedures for reviewing technical measures.

A data protection impact assessment is not automatically required for every small website. The BfDI explains, however, that Article 35 GDPR requires one when processing is likely to result in a high risk. Large-scale processing of special categories of personal data is expressly named as a typical case. For small practice websites, the practical question is therefore whether the website should really process health data at larger scale itself.

Consequences of Violations

Mistakes involving health data are more serious than many ordinary website issues. The problem is not just an incomplete notice text, but particularly sensitive information. Possible consequences include complaints to supervisory authorities, orders to change processes, fines, loss of trust and additional coordination with data protection advisers or chambers.

For small practices, the trust issue is often especially important. Patients expect restraint when health matters are involved. If a website asks too openly for sensitive details, transmits them insecurely or explains the process unclearly, it does not feel professional.

Practical Implementation on the Website

Data minimisation is the starting point for the website structure. A contact form does not need to collect medical details if a callback is enough. An appointment request does not necessarily need a diagnosis. A prescription or report request should not be mixed into a general contact form if a specialist system or a more controlled process is more appropriate.

We structure such websites in line with the requirements of Article 9 GDPR: clear separation between general contact and sensitive requests, minimal form fields, clear instructions for using the form, secure transmission and no permanent storage of sensitive content on our systems. For real booking, video consultation or patient portal workflows, we refer to suitable specialist systems or embed existing providers only as widgets or links.

The boundary matters: we do not decide which legal basis applies to your concrete processing. We build the website so that sensitive data are not created unnecessarily and so the technical components support a data-minimising structure. The legal assessment of a concrete form, specialist system or practice process belongs with data protection advisers, chambers or data protection officers.

Frequently Asked Questions

Are health data only diagnoses?

No. Information about symptoms, medication, treatment, limitations or therapy requests can also be health data if it allows conclusions about someone’s health.

Is a normal contact form on a practice website prohibited?

Not automatically. It depends on what the form asks for, what it encourages visitors to submit and how the input is processed. A callback form with a few fields is different from a form with diagnosis, report upload and medical history.

Is a consent checkbox enough?

A checkbox alone does not solve the issue. First, the practice needs to know whether the data are necessary, which legal basis fits and which safeguards are required.

Should health data be stored in a website database?

For small practice websites, restraint is sensible. Often it is better not to store sensitive content permanently on the website infrastructure and to use specialist systems or direct practice processes instead.

When does a data protection impact assessment become important?

It becomes important when the planned processing is likely to create a high risk. Large-scale processing of special categories of personal data is a typical trigger.

Who should review the concrete setup?

For binding guidance, data protection officers, supervisory authorities, chambers or qualified legal advisers are the right contacts. The website should be structured with data minimisation in mind, but it cannot replace a case-specific review.