What happened?
A general practitioner in Belgium offered an online registration form on his website for new patients. The form asked for name, address, date of birth, and contact details, but also for medical history, current medication, and allergies.
The problem? The form was a standard website form without adequate security. Data was sent and stored unencrypted. There was no privacy notice linked to the form. And no explicit consent was requested for processing health data.
The supervisory authority discovered the situation after a patient complaint and imposed a fine.
Why this is so problematic
Special category data
Health data falls under the GDPR’s “special category data.” Article 9 prohibits processing this data unless a specific exception applies. For a doctor, that exception exists within the treatment relationship, but all security requirements must still be met.
An online form collecting health data without adequate security violates multiple GDPR principles at once:
- Integrity and confidentiality (Article 5(1)(f)) - the data was not adequately secured
- Transparency (Article 5(1)(a)) - the patient was not properly informed about the processing
- Security (Article 32) - no appropriate technical measures were in place
It was not about the amount of data
This was not a major breach involving thousands of records. It was about how sensitive data was collected: via an unsecured form, without consent, without transparency. The authority emphasised that the sensitivity of the data demands higher security standards.
The lessons
1. Know your data
Understand which data you collect via your website. A contact form with name and email is very different from a form asking about medical conditions or allergies. As soon as you collect health data or other special categories, stricter rules apply.
2. Secure your forms
Every online form collecting personal data must at minimum:
- Be hosted on a website with TLS (https)
- Store data encrypted
- Have access controls on stored data
- Not forward data via unsecured email
For sensitive data, additional requirements apply: encrypted storage, restricted access, and preferably a secure patient portal rather than an open web form.
3. Inform and obtain consent
Attach a privacy notice to your form. Explain:
- Which data you collect and why
- How long you retain the data
- With whom you share the data
- How the data subject can exercise their rights
For special category data, you often need explicit consent. A pre-ticked checkbox is not sufficient.
4. Use the right tools
A standard contact form plugin is not designed for collecting medical data. Consider:
- A secure patient portal
- A form tool that meets GDPR requirements for sensitive data
- A form that encrypts data locally before submission
Also check where the data ends up. Is it stored with a third party? In which country? Do you have a data processing agreement?
Not just for doctors
This case involved a doctor, but the lesson applies to everyone collecting sensitive data through online forms:
- Physiotherapists and psychologists offering intake forms online
- Gyms asking for health declarations via their website
- HR departments requesting medical information from applicants
- Coaches and therapists with online intake questionnaires
- Insurers handling health declarations digitally
The message is clear: if you collect sensitive data via your website, make sure security and transparency are in order.
Check your own forms
Take a critical look at your website. Which forms do you have? What data do you collect? Where is it stored? Is the connection secure? Do you have a privacy notice? These are questions you can answer today.
GDPRWise scans your website and automatically detects which personal data you collect through forms, cookies, and third parties. Including tailored advice.