Publication date: June 18, 2025
In the era of digitalization and the growing role of data in the economy, patients’ medical information is becoming not only the subject of legal protection, but also a significant economic resource. Sensitive data – including treatment history, diagnoses, test results or genetic information – is increasingly treated by entities operating in the healthcare sector as a potential asset. Used for analytical, research and sometimes commercial purposes, it is becoming an element of the business strategy of medical, biotechnological or technological companies. However, such an approach raises a number of legal, ethical and social questions. Can patients’ personal data be perceived as a commodity? What are the boundaries of personal data protection regulations, such as GDPR? And finally – is it possible to reconcile business interests with the patient’s right to privacy and autonomy?
This article will discuss the above issues in the context of Polish and EU law.
Constitutional regulation
Very general, but extremely important regulations concerning personal data and their protection can be found in the Constitution of the Republic of Poland of 2 April 1997. It does not directly mention the “protection of sensitive patient data”, but there are provisions that constitute the constitutional basis for the protection of personal data, including sensitive data, such as health data. Article 47 states that everyone has the right to the protection of their private and family life, honour and good name, and to decide about their personal life. It can therefore be concluded that this provision also covers the privacy of information about their health. In Article 51, sec. 1 and 2 there are contained direct constitutional basis for the protection of personal data, which states that no one may be obliged, except on the basis of the law, to disclose information concerning their person, and public authorities may not obtain, collect and make available information about citizens other than necessary in a democratic state of law. Finally, Article 31, paragraph 3 formulates a very important regulation, which states that restrictions on the exercise of constitutional freedoms and rights may be established only by law and only when they are necessary in a democratic state for its security or public order, or for the protection of the environment, health and public morality, or the freedoms and rights of other persons. Moreover, these restrictions may not violate the essence of freedoms and rights. This provision protects against arbitrary interference with individual rights, including privacy and personal data. The Constitution does not directly provide that patient data may be treated as company assets. In practice, however, patient data (particularly sensitive – about health status) are subject to legal protection under statutory provisions, e.g. the Personal Data Protection Act, the GDPR and the Medical Activity Act. Their processing by companies (e.g. healthcare entities) must be carried out in accordance with applicable law – they cannot be treated solely as “assets” in the property sense.
Regulation included in the GDPR
When discussing in detail the legal regulations concerning data protection (including sensitive data concerning patients), it is impossible to ignore the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. This is because, in accordance with Article 91 paragraph 3 of the Constitution of the Republic of Poland, if it results from an agreement ratified by the Republic of Poland establishing an international organization, the law established by it is applied directly, taking precedence in the event of a conflict with statutes. This also applies to acts of secondary law of the European Union, which are regulations. The General Data Protection Regulation indicates that medical data are data of a special category (so-called sensitive data). Furthermore, Article 9 paragraph 1 of the GDPR is crucial, which establishes a ban on the processing of personal data revealing racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person. Therefore, health data may not be processed unless one of the ten conditions contained in paragraph 2 is met – in the context of medical data, conditions relating to, for example, the patient’s consent, a legal obligation or the protection of vital interests may be relevant.
From Article 4 of the Regulation, we can deduce that personal data cannot be treated as “assets” in the strict sense, unless the processing is carried out in accordance with the principles of processing, such as: purpose limitation, data minimization, storage limitation, integrity and confidentiality, and accountability. In summary, patient data cannot be freely transferred or used as an asset without a legal basis (e.g. in the process of selling a company).
Key from the point of view of the legal system in Poland is the regulation contained in codes and acts regarding the status of patient data and their relationship with company assets. The Act of 10 May 2018 on the Protection of Personal Data de facto supplements the provisions of the GDPR in the Polish legal order, establishes the President of the Office for Personal Data Protection as the supervisory authority, and introduces additional rules for the processing of sensitive data within medical entities. Also extremely important is the Act of 6 November 2008 on Patients’ Rights and the Patients’ Ombudsman, which in Article 23 and subsequent states that medical records are the property of the medical entity, but the patient has the rights to them. Access to the documentation is available to the patient, their legal representative or a person authorized by them.
Furthermore, on the basis of Article 24 sec. 1 of this Act, medical documentation must be protected against destruction, loss, and access by unauthorized persons. It follows that patient documentation cannot be treated as a “saleable asset” – transferring it as part of the sale of a company requires securing patient rights and compliance with regulations. The Act of 15 April 2011 on medical activity regulates the functioning of medical entities in great detail, and it is from it that we learn that, for example, in the event of a change in the owner of a medical entity, the continuity of storage and availability of medical documentation must be ensured and, in accordance with Article 24, paragraph 2, the transferee must ensure the availability of medical documentation in accordance with the patient’s right. The regulation contained in the Act of 23 April 1964 – the Civil Code and in the Act of 15 September 2000 – the Commercial Companies Code tells us that personal data are not an asset in the property sense (such as real estate or equipment), and only the rights and obligations related to them can be traded – but in compliance with the principles of data protection.
To sum up, sensitive patient data cannot be treated as typical company assets that can be sold or transferred without restrictions. Their processing and possible “transfer” e.g. as a result of a merger, takeover or sale of a company must meet strict requirements: it must be compliant with the GDPR and the Polish Personal Data Protection Act, it must respect the patient’s rights to privacy and access to documentation, it requires ensuring continuity of access and security of medical documentation, and in many cases the patient’s consent or another clear legal basis is required. The acts mentioned earlier are only the key and most frequently used regulations. The issue of patient data in the context of company assets is sometimes addressed more or less broadly in many other supplementary and related legal acts, which may also be relevant depending on the context. For example, the Act of 29 August 1997 – Tax Ordinance, sets forth that there is possibility of tax obligations related to data processing in the event of the takeover of medical activities (e.g. patient data and contractor data), as well as provisions on fiscal secrecy and the processing of personal data as part of tax obligations. The Act of 1 March 2018 on counteracting money laundering and terrorism financing may apply if the activities of a medical company fall within the scope of the obligations of obligated institutions (e.g. takeovers, mergers) and enforces, among other things, the application of due diligence principles, customer identification (which may require data processing), but does not legalize any trade in patient data. Other regulations can be referred to in this area, for example, are those in the sector of financial law – the Act of 6 December 2001 on payment services and the Act of 29 August 1997 – Banking Law which may apply to situations where patient data is linked to financial data (e.g. invoices for medical services). In addition, these two acts protect the data of customers of financial institutions, including bank secrecy.
In turn, the Act of 27 August 2004 on health care services financed from public funds applies to beneficiaries and the payer (the National Health Fund) and contains obligations regarding reporting and processing of beneficiaries’ data – which may also apply to patients’ personal data. The Act of 5 December 1996 on the professions of physician and dentist and the Act of 15 July 2011 on the professions of nurse and midwife introduce the obligation to maintain medical confidentiality (Article 40 of the Medical Act), which is crucial when considering the transfer of data to another entity – professional confidentiality does not expire upon the patient’s death or when the owner of the medical entity changes.
In processes such as due diligence, personal data of patients may be analyzed in order to assess the intangible assets of the company, such as the patient database. In such cases, in accordance with the GDPR and national regulations, it is necessary to provide appropriate safeguards and comply with the principles of personal data protection. Developing the topic of statutory regulations regarding sensitive patient data, it should be noted that the provisions of the Act of 28 April 2011 on the information system in health care, which regulates the principles of operation of teleinformatic systems in health care, including Electronic Medical Records (EMD), are key. The Act of 27 July 2001 on laboratory diagnostics is also important, which regulates the principles of storing genetic material and genetic test results, which is important in the context of protecting sensitive patient data. The issue of processing sensitive patient data is also addressed by implementing legal acts, e.g. the Regulation of the Minister of Health of 26 June 2020 on the detailed scope of medical event data processed in the information system and the method and deadlines for transferring this data to the Medical Information System.
The essence of the issue of sensitive patient data in modern times
The issue of sensitive patient data as a company asset is appearing more and more often not only in legal discourse, but also in the media. There has been discussed the case of a planned acquisition of DNA testing business and most of its assets in bankruptcy proceedings. The deal would put the DNA data of millions of customers in the hands of the pharmaceutical company, which hopes to expand its efforts to mine genetic data for insights into drug development. There were also the questions of anonymization of the planned acquired data.
Summary
A review of domestic and foreign legal regulations concerning broadly understood personal data (more precisely: sensitive patient data) in the context of company assets clearly shows that despite the existence of a very good axiological and normative basis for the existence of such provisions, this is still an area that is very imprecise and in a sense omitted. Matters concerning sensitive patient data in the context of transformations and liquidation proceedings of a company give rise to a lot of discussion and numerous concerns abroad. Therefore, the domestic and EU legislator must very seriously and honestly consider the issue of clarifying existing regulations so that every large entrepreneur knows what to do with sensitive data, e.g. in the event of ownership transformations of a company.