How long am I allowed to store personal data?
June 29, 2024 | 40,00 EUR | answered by Irmgard Helbig
Dear lawyer,
My name is Verena Ehlert and I work as a physiotherapist in my own practice. In my daily work, I collect a variety of personal data from my patients, such as name, address, medical history, and treatment progress. Now I am wondering how long I am actually allowed to store this data before I have to delete it.
The current situation is that I have so far stored all data of my patients indefinitely, as I thought this was necessary in case of inquiries or legal disputes. However, I have recently been concerned whether I am violating data protection laws and may face legal consequences as a result.
Therefore, I am wondering if there is a legal regulation that prescribes how long I am allowed to store personal data. Are there differences depending on the type of data, i.e. whether it is medical data or not? What measures can I take to ensure that I comply with data protection regulations and adequately protect my patient data?
Thank you in advance for your help and support.
Best regards,
Verena Ehlert
Dear Mrs. Ehlert,
Thank you for your inquiry regarding the storage of personal data in your physiotherapy practice. As a lawyer specializing in data protection law, I can assist you and explain the applicable regulations.
In general, the principle of data minimization and purpose limitation applies to the storage of personal data. This means that you are only allowed to store the data of your patients that are necessary for the specific purpose for which they were collected. In the case of your physiotherapy practice, this may include name, address, medical history, and treatment progress.
The specific retention period for personal data is regulated in the Federal Data Protection Act (BDSG). According to § 35 BDSG, you must delete the data after the respective retention period has expired. There are special regulations for medical data, which are defined in the Healthcare Professions Chamber Act or the professional code of conduct for doctors. Typically, the retention period for medical data is at least 10 years after the completion of treatment.
It is important to note that after the retention period has expired, you must not simply delete the data, but securely and permanently destroy it to ensure the protection of patient data. For this purpose, you can rely on professional data destruction companies.
To ensure compliance with data protection regulations and adequately protect patient data, I recommend creating a data protection policy for your practice. This should include provisions on how long you will store the data, who can access it, and what security measures you will take to protect the data. Additionally, you should conduct regular data protection training for your practice team to ensure that all staff members are informed about the applicable data protection regulations.
I hope that this information is helpful to you. If you have any further questions or need assistance with the implementation of data protection regulations, please do not hesitate to contact me.
Sincerely,
Irmgard Helbig, Lawyer
