GDPR starter kit for healthcare providers

Healthcare is the most regulated domain under GDPR. In addition to GDPR: Dutch Medical Treatment Act (Civil Code Book 7), Healthcare Data Act (Wabvpz), Healthcare Quality and Complaints Act (Wkkgz), and sector-specific rules. Core matters: (1) Patient record (WGBO Art. 7:454): minimum 20 years retention after last treatment. Patient has access + correction right (Art. 7:456). (2) BSN: use mandatory via Wabvpz, but encrypted storage. (3) LSP connection: opt-in by default. Patients can opt out via Volgjezorg.nl. (4) EHRs/EPDs (HiX, Epic, Chipsoft): DPA required + DPIA (Art. 35 — high-risk data). (5) Video consultation: only via certified platform (Zaurus, Therapieland, Compaan with NEN 7510). No WhatsApp Video, no FaceTime. (6) Patient communication: email to patient = personal data via insecure channel. Use secure portal or encrypted message. (7) Breach: almost always high risk → Art. 34 patient notification + IGJ report in parallel to AP. Occupational physician: file strictly separated from employer. Employer only gets "fit/unfit" assessment. Fines 2023-2025: HagaZiekenhuis 2019 (€460k for unauthorised "Barbie" file access), recent fines for unsafe patient data transmission.