Germany: Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments adopted resolution on data protection requirements for outsourcing appointment management in healthcare

On 16 June 2025, the Conference of the Independent Data Protection Authorities of the Federal and State Governments (DSK) adopted a resolution setting out data protection requirements for healthcare practices using external service providers for online appointment booking and management. It clarifies that outsourcing appointment management to external service providers is permissible as commissioned data processing under Article 28 of General Data Protection Regulation. It does not require patient consent, provided only data strictly necessary for managing the appointment, including name, contact details, and appointment type, is processed. Blanket transfers of patient master data are prohibited, appointment reminders require explicit consent, and providers must not use patient data for their own purposes. Practices must also ensure timely deletion of calendar entries and implement appropriate technical and organisational safeguards, particularly when data is processed in third countries. Where patients create user accounts with booking platforms, those platforms act as independent controllers and must meet all GDPR obligations, including obtaining consent for health data processing.