Context

On 18 December 2025, the Belgian data protection authority (DPA) issued a decision on the merits of a patient’s complaint against a hospital, in relation to the scope of data subjects’ rights and the handling of patients’ electronic health records (EHRs). Given that EHRs are at the heart of hospitals’ daily practice, the case provides an interesting opportunity to review fundamental questions that matter to all data protection practitioners: who is a data subject? what are data controller’s duties to ensure data protection by design, in respect of the limitation of access to health records and medical files at large? 

The factual situation is quite straightforward. The patient, a pregnant mother, is in contact with a physiotherapist who works as a self-employed at a hospital and happens to be pregnant as well. At some point in time, the patient books an appointment with her, that she later cancels. Nevertheless, the mother and the physiotherapist continue having WhatsApp conversations about their pregnancies. Later, as the mother enquires about the physiotherapist and wishes her well for the childbirth, the physiotherapist replies and confesses in quite plain terms that she earlier did spy on the patient’s record and found out the latter was expecting a girl. Disappointed, the mother replies that her husband and her had preferred not to discover the child’s sex before the birth, and she complains about the misplaced curiosity of the physiotherapist. Less than one month later, the patient submits a data subject access request to the hospital and asks who has been able to access her health record since the beginning of that year. Upon review of the initial response provided by the hospital, the patient notices three occurrences of access to her file and asks what document(s) were accessed. The hospital then acknowledges that the physiotherapist had accessed the NIPT test results, a genetic test that is frequently carried out to detect certain conditions such as Down syndrome and other forms of trisomy in unborn children. 

A couple of days later, the hospital terminates the contract with the physiotherapist based on the unauthorized access to medical data and confidential information of a patient in the absence of a therapeutic relationship. 

The mother then asked to be compensated for the damage but, as the hospital could not come to terms with her, she later filed a complaint with the Belgian DPA together with her husband and on behalf of the child. 

We will discuss three aspects of the decision that can be relevant for data protection practitioners in Europe and possibly beyond. 

Personal data of unborn children? 

The NIPT test requires a DNA analysis of the mother’s blood, but it reveals information about the child’s health. It is primarily aimed at detecting whether the unborn child suffers from specific diseases but can also determine the sex of the baby and, possibly, other chromosomal abnormalities in the mother as well as the baby. As a result, there is no denial that such tests involve the processing of the mother’s health data. However, in the case at hand, there was also a question on whether the health information pertaining to the unborn child did qualify as personal data and data concerning health under GDPR. Because the complaint was on behalf of the child in her personal account, the DPA needed to assess whether it was admissible, and its findings could also be relevant for the issue of the damages. 

As the DPA underlines, the GDPR applies to the personal data of living individuals but is silent as to the data of unborn children. Under Belgian civil law, a child does not become entitled to legal rights and obligations (“legal personhood”) until it gets born alive and viable. There are certain exceptions, though, where unborn children enjoy legal protection, such as for inheritance. But these are limited and do not expand to any situation, in particular as this may also impact the issue of the professional liability of doctors and health practitioners. 

The DPA started from the premise that it needs to ensure an effective protection of the right of the (future) child. It found inspiration in Opinion 4/2007 of the ‘Article 29 Working Party’ (the predecessor to the EDPB), which notes that the matter of the rights of unborn children is for the Member States to decide, but that the raison d’être of data protection rules is to ensure the protection of natural persons. Equally, it relied on a non-binding statement of the Committee of Ministers of the Council of Europe that recommends treating health information related to unborn children in the same way as personal data of living children, with the holder of parental responsibilities acting as the person legally entitled to act for the unborn child, ‘the latter being a data subject’[1]. According to the DPA, under Belgian law, GDPR applies to unborn children, irrespective of the protection afforded to the mother’s personal data. The DPA also added some technical arguments to justify the need for a protection of the rights of unborn children, commenting on the possible consequences if the mother was regarded as the only data subject. First, in cases where the mother would make the data ‘manifestly public’ as per Art. 9(2)(e) GDPR, objecting to the dissemination of the data would prove impossible for the child. Second, in the event the child would later become adopted, holding the mother as the sole data subject could result in a dramatically insufficient protection for the child[2]. Third, after the child’s birth, the same data would possibly relate to two distinct data subjects, whose interests could even possibly diverge. Fourth, the validity of decisions made by the legal representative of the child could be challenged, arguing that because the personal data relates to the mother such decisions aren’t taken in the interest of the child. The DPA concluded that unborn children deserve to be regarded as data subjects in respect of personal data collected during the pregnancy, irrespective of the rights of the biological mother. As a result, the complaint filed on behalf of the child was found admissible as well. 

Although this decision only represents the point of view of the DPA and is limited to the circumstances at hand, it is an interesting exploration of the data protection rights of unborn children. The question is more than anecdotic, if only for hospitals and daycare centres that collect information about the mother and the child during the pregnancy. The finding that unborn children may be regarded as data subjects will also be of interest to research organisations. However, it is important to keep in mind that the DPA’s finding occurred in the context of the issue of unauthorized access to medical records. It does not mean, for instance, that data protection notices need to be amended in order to inform the representatives of unborn children, nor that the latter can exercise all of their rights before the birth. Still, it requires a careful consideration for the interests of the unborn children. 

Who is a data controller? 

Because the complaint was filed against the hospital, and not the physiotherapist, it is important to assess which of the two must be regarded as the data controller. The DPA has settled case-law that the processing of personal data by an employee within the context of their activities for the employer, is deemed to be done under the control or authority of the employer. Only in exceptional circumstances, where the employee manifestly and unlawfully exceeds the boundaries of their authorisation, can they be regarded as the data controller. This is also in line with the EDPB guidelines on data controllers and processors[3].

In the case at hand, the DPA found that the physiotherapist exceeded the authority granted to her by the hospital and should be regarded as the only data controller as far as the access to the NIPT test results is concerned. Under the hospital’s internal rules, practitioners may only access to patients’ data where it is necessary for their duties and in the framework of an existing therapeutic relationship. The DPA devoted some discussion to whether there was such a therapeutic relationship between the mother and the physiotherapist, but concluded that it mattered not much, considering that in light of the circumstances it was clear that the physiotherapist took the initiative to consult the mother’s record, after a conversation of a private nature and without any relevance nor even remote connection to her professional duties. In practice, the mother had told the physiotherapist about her taking the NIPT test and the two had discussed when the results would be available. And the physiotherapist even confessed expressly to have “spied on” the mother. 

That being said, the DPA still regards the hospital as the data controller in respect of the patients’ records and the access hereto by health practitioners. It therefore turned to assessing the technical and organisational measures implemented by the hospital pursuant to Articles 5(1)(f), 5(2), 24 and 32 of the GDPR. 

Access management and privacy-by-design obligations 

The hospital had defined access profiles for categories of personnel, with restricted rights for nurses, medical secretaries and back-office functions (accounting, billing, etc.), and a general access to all patients’ records for the broad category of health practitioners. According to the hospital, the quality of healthcare requires an interdisciplinary approach where all practitioners, including physiotherapists, can access the medical files of all patients. In other words, there were only two access profiles, and the physiotherapist had been given the same access rights as all other therapists and doctors. The hospital also put forward the limited size of the Belgian market, where it alleged to have carefully selected a provider that also serves 90% of Belgian hospitals and consistently refuses to implement functional changes in the access management system. According to the hospital, switching to another provider would be time-intensive and burdensome, cost a lot of money and would not guarantee a better solution for access management. As a result, the hospital had focussed on various ways to inform its personal and raise awareness about the prohibition to consult medical records of patients with whom therapists have no therapeutic relationship: contracts executed upon onboarding, ‘IT charter’ and circular letters as well as a general data protection policy. Lastly, the hospital put forward that the login page to the patients’ record bears a statement that the access is subject to an existing therapeutic relationship, and that the accesses are logged and journalized. 

The DPA largely dismissed these points and concluded that the hospital had failed to properly manage the access rights and the access procedure to patients’ medical records, and hence had breached Articles 5(1)(f), 5(2), 24 and 32 GDPR. First, regarding the processor, the DPA simply rejected the excuse that the software solution of the processor did not cater for a more granular or accurate rights management system, reminding that under Article 28(1) GDPR the data controller has a duty to select a processor ‘providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’. Second, it dismissed the idea that all therapists could potentially need to access any patient’s medical records. For the DPA, only the necessary documents must be made available and, in addition, as the hospital operates a multi-site structure, it is even more appropriate to design a rights and access management system that avoids too broad an access would be granted to health practitioners. Third, the DPA leveraged the example of an existing ‘access matrix’ used by a regional health network that defines access rights of health professionals based on their respective roles. As that matrix precisely excludes access to lab results for physiotherapists, the example shows that at least a similar degree of granularity can be implemented without hampering a shared access amongst several practitioners. The DPA also underlines that such an access matrix does not preclude a ‘break-the-glass’ principle, whereby a given health professional can still require access on a need-to-know basis, subject to explaining the reasons, and offering the possibility to log the exceptional access to reinforce traceability and minimize the risks for unauthorized accesses. 

The DPA also assessed the technical and organisational measures implemented by the hospital and found them to be insufficient, considering that the data at hand is very sensitive by its nature and is being processed on a very significant scale. For the DPA, the measures relied on by the hospital are excessively contingent upon the good intentions of the people authorized to access the medical records, and the only controls in place are ex post. In the view of the DPA, because the GDPR imposes a duty to implement an appropriate level of security that prevents unlawful processing activities, those measures cannot by themselves demonstrate that the hospital fulfilled its obligation. Interestingly, the DPA also stresses that the duty to implement an appropriate level of security is a ‘best efforts’ obligation focussed on the means, and not a guarantee of the result to be achieved. However, even so understood, it requires the hospital to implement further technical security measures and controls. Among other specific failures, the DPA notices that whilst the access to the medical records is logged, there are absolutely no random controls or checks of the existing logs, to detect possible errors, non-conformities or or unauthorized accesses, and be able to act upon them. The hospital had acknowledged that an initial attempt to run such random controls had to be stopped due to the lack of resources. As a result, the logs were effectively used on a strictly ad hoc basis, as and when someone asks a question (such as the complainant mother in the case at hand). The DPA concludes that the unauthorized access was detected only because of the mother filing a request for access, and there are no indications that the hospital would have been in a position to detect unauthorized accesses in the absence of the mothers’ complaint. It concludes that a periodic review of the logs, with appropriate escalation in case of incident, would reinforce the global security of the information system. 

In practice, the DPA only issued a reprimand and chose not to impose a financial penalty, having regard to the circumstance that the hospital had immediately dismissed the physiotherapist and that the existing organisational measures, whilst insufficient, show an acceptable level of awareness on the part of the hospital.