Poland’s data protection authority ruled that processing personal data for health research invitations is GDPR-compliant, but raised concerns about the Patient Internet Account.
Data Processing for Research is GDPR Compliant
The President of the Polish Data Protection Office (UODO) has determined that processing personal data to invite individuals to participate in health screenings aligns with the General Data Protection Regulation (GDPR), specifically Article 9(2)(h).
Processing of sensitive data categories is permissible without patient consent when necessary for preventative healthcare purposes. However, such processing must occur under the supervision of professionals bound by confidentiality obligations, according to UODO President Mirosław Wróblewski.
Concerns Regarding the Patient Internet Account (IKP)
The UODO President expressed reservations about current regulations governing the use of the Patient Internet Account (IKP) for delivering preventative health information. While the law provides patients access to preventative health information, it lacks clarity on how medical entities should deliver this information.
Wróblewski stated that legislative changes are needed to enable the IKP to serve as a communication tool for medical entities, including sending research invitations.
Pseudonymized Data and the European Health Data Space
The UODO addressed the handling of pseudonymized data for scientific research, emphasizing the need to align national regulations with the European Health Data Space regulation (2025/327). This regulation allows for data processing in justified and necessary situations for scientific research.
Data Protection and Minimization Principles
In accordance with Article 89 of the GDPR, the UODO emphasized the necessity of safeguarding the rights and freedoms of individuals whose data is processed. Implementing technical and organizational measures to uphold the principle of data minimization is crucial.
UODO Appeals to Ministry of Health
On September 1, 2025, the UODO requested the Minister of Health to initiate legislative action to establish a legal basis for sharing medical data in a specific encrypted format. This format would prevent reverse decoding by the data recipient while remaining accessible to the data provider.
The Minister of Health has expressed openness to collaboration on this matter, and the UODO is awaiting a response from the Minister of Science.