Will patients’ personal data be better protected?

Patrycja Rejnowicz-Janowska

On December 11, 2023. The President of the Office for Personal Data Protection (hereinafter , “PUODO”) has approved the “Code of Conduct for the Health Sector (hereinafter , “Code”), developed by the Polish Federation of Hospitals. It is the first document in Europe to cover public and private entities in the medical sector.

Legal basis for issuing the Code

The basis for the issuance of the above. The Code was Art. 40 Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (hereinafter , “RODO”), according to which “Member States, supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct to assist in the proper application of this Regulation – taking into account the specificities of the various processing sectors and the particular needs of micro, small and medium-sized enterprises.

Adequate level of protection of patients’ personal data as an objective of the Code

The Code in question is a set of principles/guidelines aimed at raising the level of personal data protectionOne of its main objectives is to guarantee an adequate level of protection for Patients, in connection with the processing of their personal data, with particular emphasis on the protection of Patients’ health and life, as goods of paramount importance.

Implementation of the principle of accountability

A reading of the introduction to the Code shows that the use of the said document is a circumstance that confirms compliance with the obligations imposed by the RODO on Data Controllers and Processors that operate in the market of healthcare providers. In practice, this means that this Code will serve to implement the principle of accountability in the medical sector.

Procedure for joining the Code

Accession to the Code by a public entity requires the submission of an application (at least in electronic form) addressed to the Monitoring Entity[1]. In it, the entity declares that it meets the requirements under the Code.

In turn, this proposal includes:

  • A questionnaire relating to individual obligations under the Code,
  • a positive opinion issued by the Data Protection Supervisor (if appointed) or another entity with appropriate expertise in the field covered by the Code, stating compliance with the requirements of the Code,
  • indicating how to further monitor compliance with the Code.

The next step is to undergo a preliminary audit by the Monitoring Entity and receive a positive assessment of the data processor’s ability to apply the provisions of the Code. This readiness is then systematically monitored, for example, in the form of a monitoring survey, telephone interviews or site visits.

Is it worth joining the Code?

Adherence to the Code is voluntary and does not involve membership in any organization (in fact, any healthcare provider can join the Code).

According to the PUODO announcement , “entities that will apply it, they can have a guarantee of the correctness of the use of certain solutions approved by the supervisory authority. They can also count on supervision of personal data processing based on the monitoring mechanisms described in the Code. It is also not insignificant that under the RODO , the supervisory authority, when considering imposing a penalty on an entity, must take into account in each case whether the entity is correctly applying the approved code of conduct.”[2] [wyróżnienie własne].

Helpful Annexes to the Code

Only in passing, it is worth adding that the Code contains annexes covering (by way of example):

  • template for consent to the processing of personal data,
  • a catalog of data uniquely identifying the person in question, along with an indication of an example of a model authorization from Art. 26 para. 1 of the Law on Patients’ Rights and Patients’ Ombudsman, which meets the requirements of the law,
  • Principles for dealing with selected situations related to increased risk of violation of patients’ rights in connection with the processing of personal data,
  • An example of a risk analysis procedure, the implementation and use of which ensures the implementation of a risk-based approach,
  • List of IT system security features,
  • List of applicable standards in the area of information security and data protection, etc.).

Undoubtedly, the above-mentioned documents can be an important reference in the daily work of the medical sector.

Through the Eyes of the Experts

According to Jabloński Kozminski Lawyers, data protection and cyber security play a key role for the healthcare sector. Taking on the Code can help ensure such security. In light of this, it is therefore worth considering joining its application. The application of this Code can not only contribute to the benefits indicated earlier, but, above all, can lead to an increase in patients’ confidence in the health care system.

Full text of the Code

You can read the full text of the Code by clicking on the link below:


[1] A monitoring entity is an entity responsible for monitoring compliance with the Code and accredited by the President of the Office of Personal Data Protection, meeting the requirements indicated in Art. 41 para. 1 and 2 RODO

[2] https://uodo.gov.pl/pl/138/2929,[accessed online 09/02/2024].


Patrycja Rejnowicz-Janowska
Advocate, Senior Associate+48 22 416 60 04patrycja.rejnowicz-janowska@jklaw.pl

See other posts