All systems operational · 99.98% uptime
← All articles
DSGVO11 min · 17.06.2026

Health data in patient transport: what GDPR Art. 9 actually requires

Diagnoses, prescriptions, destinations — why WhatsApp groups are a fine risk and what applies instead.

A transport operation processes more sensitive data than most businesses realize. Even the simple information "Mr. M. goes to dialysis on Tuesdays" reveals a diagnosis. A destination like "oncology center" does too. And the Muster 4 prescription contains medical details in plain text. All of this falls under Article 9 of the GDPR — the special categories of personal data. Stricter rules apply to this data than to name and address. Anyone who doesn't know them risks fines that can seriously hurt a small operation.

Why ride data is health data

Article 9(1) GDPR initially prohibits the processing of "data concerning health" — and only allows it under certain exceptions. The crux for transport operators: health data is not just the diagnosis itself, but any information that allows a conclusion about someone's state of health.

  • The regular ride to dialysis reveals kidney failure.
  • The destination "psychiatric day clinic" reveals a mental illness.
  • The note "with wheelchair" or "lying down" reveals a mobility impairment.

So it isn't enough to omit the diagnosis. The context itself already deserves protection.

The legal basis you actually need

For transport operators, two exceptions from Article 9(2) are mainly relevant in practice:

  1. Point (h) — processing for the provision of health care. Since medical transport is part of health care, this exception covers carrying out the ride.
  2. Point (a) — explicit consent of the data subject. It is needed wherever processing goes beyond merely carrying out the ride.

Important: the legal basis must be documented. When in doubt, the supervisory authority won't ask whether you worked carefully — but whether you can prove it.

The elephant in the room: WhatsApp and private chat groups

Many operations coordinate rides via WhatsApp groups. That's convenient but highly problematic under data protection law. Several points are critical:

  • Third-country transfer: some operator data sits outside the EU. For health data this is inadmissible without special safeguards.
  • No data processing agreement: you don't conclude a DPA under Article 28 GDPR with a consumer messenger.
  • No access control: everyone in the group sees every message — including the driver who isn't even performing the ride in question.
  • No deletion policy: messages remain on every participant's device, practically indefinitely.

This isn't a theoretical risk. Supervisory authorities have already imposed fines in comparable cases.

What applies instead: the four duties

Anyone who wants to process ride data legally needs four things:

1. Access on a need-to-know basis

A driver sees their own rides — and only those. The dispatcher sees the overall picture, but no more detail than necessary. With health data, role-based access control isn't optional, it's mandatory.

2. Encryption in transit and at rest

Data must be protected both on the transport path (TLS) and at rest (database encryption). An unencrypted Excel attachment by email doesn't meet that.

3. A data processing agreement with every provider

As soon as an external provider — such as software — processes health data on your behalf, you need a DPA under Article 28. Reputable providers supply it without being asked.

4. Deletion policy and logging

You must define when which data is deleted — and log every access so you can provide information in the event of an audit.

The pragmatic path

Data protection in patient transport is no black art, but it tolerates no makeshift solutions built from chat groups and spreadsheets. A system that brings access rights, encryption, logging and deletion policies out of the box and includes the DPA takes most of the work off your hands. That is precisely MITA Base's approach: data protection not as an afterthought, but as the default.

The best first step is an honest look at your own workflows: where does health data leave the building today without anyone in control of it? Every WhatsApp group, every email attachment, every note in the glove box is a candidate. Close these paths and you've already eliminated most of the risk.

Enough reading. See it run.

A 30-minute demo with your real workflows — no sales pressure, promised.

🇩🇪 Hosting Frankfurt · DSGVO Art. 9 · AV-Vertrag inkl.