WhatsApp Business and GDPR Healthcare: Medical Records and First Free Copy

WhatsApp Business and GDPR Healthcare: What's New for Medical Records

WhatsApp Business and GDPR healthcare are increasingly intertwined in the digital management of medical records and patient data. WhatsApp Business and GDPR define a new framework of rights, obligations, and processes that healthcare companies can no longer ignore.

The recent ECJ ruling in C-307/22 definitively confirmed that the first copy of personal data contained in a medical record is free of charge pursuant to Article 15 of the GDPR (Regulation (EU) 2016/679), even when the request is made for legal purposes. This principle prevails over national regulations that impose financial charges on the requester and is part of a context of increasing digitalization, instant communication, and automation of healthcare processes.

In the modern digital ecosystem, where channels such as email, web portals, and conversational tools—including API-integrated channels like WhatsApp Business—have become integral to patient interaction flows, properly managing data access rights plays a key role in compliance, efficiency, and customer experience.

WhatsApp Business and the GDPR: Principles of the ECJ Decision C-307/22

At the heart of the debate is the ruling of the Court of Justice of the European Union in Case C-307/22, which originated in Germany. A patient had asked his dentist for a copy of his medical records to assess any errors during treatment; the dentist, pursuant to Section 630g of the German Civil Code (BGB), had made the release conditional on reimbursement of expenses.

The patient considered the right to a free copy pursuant to Article 15 of the GDPR applicable and appealed to the German courts, including the Bundesgerichtshof, which referred the matter to the CJEU. The Court defined some key principles that also impact how institutions organize digital processes, contact channels (including automated ones such as chatbots or integrated systems with WhatsApp Business) and document management systems.

Free regardless of purpose

The CJEU has clarified that the obligation to provide the data subject, free of charge, with a first copy of the personal data undergoing processing falls on the data controller even if the request is motivated by a purpose unrelated to those indicated in Recital 63 of the GDPR. This also includes requests for legal action against the healthcare professional.

This principle strengthens the effectiveness of the right of access and prevents the data controller's "defensive" motivations—for example, fears of litigation—from limiting or making the data subject's right more burdensome.

Ban on burdensome national regulations

The Court ruled that a national law, even if it predates the GDPR, cannot require the data subject to pay for the first copy of their personal data if this serves to protect the data controller's economic interests. Such a mechanism would violate the right of access under Article 15 and its effectiveness.

For national health systems, this means adapting internal regulations, tariffs and administrative practices, moving from a model based on "copyrights" to one that values efficient digital processes, perhaps supported by automation and smart channels such as WhatsApp Business for the request or progress of requests (not for the delivery of sensitive health data).

Extensive definition of “copy” and minimum guaranteed content

The definition of "copy" adopted by the CJEU is broad: in the doctor-patient relationship, the right to obtain a copy of personal data implies the provision of a faithful and intelligible reproduction of all such data. When necessary to ensure accuracy, completeness, and intelligibility, this may mean a full copy of the documents contained in the medical record.

In any case, the minimum guaranteed content includes data such as diagnoses, test results, opinions of treating physicians, therapies or interventions performed. To learn more about the regulatory framework, it is useful to refer to the text of the Regulation (EU) 2016/679 and the specialist analyses available, for example, on the portal of Guarantor for the protection of personal data.

GDPR data access and document access: two distinct levels

In the Italian context, the ruling highlighted the conflict—only apparent—between the right to access personal data pursuant to Article 15 of the GDPR and access to documents pursuant to Law 241/1990. The two institutions, while possibly concerning the same material object (e.g., medical records), have different prerequisites, purposes, and consequences.

Access to personal data pursuant to art. 15 GDPR

This is the right of the data subject to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed, and, if so, to access that data and obtain a copy thereof. The first copy is free of charge, requires no justification, and applies to any controller, public or private.

The data subject exercises strictly personal rights: the focus is on the data, not necessarily the document itself. For this very reason, organizations must be able to distinguish, in their workflows and forms, between requests for access to data (GDPR) and requests for copies of administrative documents.

Access to documents pursuant to Law 241/1990

Access to administrative documents pursuant to Law 241/1990 requires a direct, concrete, and current interest, can only be exercised with public administrations, and is subject to the payment of reproduction costs. The subject matter is the administrative document, which may or may not contain personal or health data.

The Authority has repeatedly criticized healthcare facilities that, when faced with requests for access to personal data contained in health records submitted pursuant to Article 15 of the GDPR, have treated them as requests for document access, imposing a fee. The first copy of personal data must, however, be provided free of charge.

The data controller must assess whether, to ensure the accuracy, completeness, and intelligibility of the data, it is necessary to provide a full copy of the medical records. For general requests, the data controller may ask the data subject to specify whether they are requesting personal data, documents, or both.

Organizational impact on healthcare companies and the role of digitalization

It is reasonable to assume that the C-307/22 ruling has led to a significant increase in requests for access to medical records under Article 15 of the GDPR. This increase has a direct impact on the costs and internal organization of healthcare facilities.

The increase in requests

Among the main factors:

• Greater awareness: the media coverage of the ruling informed citizens of their right to obtain the first copy of their medical records free of charge.
• Economic convenience: fees for issuing a paper or digital copy can range from 8 to over 30 euros, encouraging the use of the right of free access.
• Pre-litigation purposesLaw firms and patient advocacy groups have promoted the use of Article 15 of the GDPR to analyze medical records for potential medical malpractice claims.

Administrative burden and costs

The increase in requests generates costs related to:

• reproduction (paper, toner, digital media, equipment maintenance);
• staff (research, duplication, verification, delivery of documentation);
• shipping (in case of postal delivery);
• organization (training, procedures, complaints management).

These costs, previously recovered through copying rights pursuant to Law 241/1990, now weigh on the budgets of healthcare companies, at least for the first copy released pursuant to the GDPR. Hence the need to accelerate digitalization and automation processes, also by leveraging communication and workflow tools that can integrate conversational channels such as WhatsApp Business for non-sensitive notifications and interactions.

Digital medical records, electronic health records, and audits by the Court of Auditors

In Italy, the push toward electronic health records (EHRs) has its foundation in Law No. 35 of April 4, 2012, Article 47-bis, which prioritizes the electronic management of clinical practices and, starting January 1, 2013, allows for the digital preservation of records in compliance with the Digital Administration Code (Legislative Decree 82/2005) and privacy legislation.

Despite this, most of the files are still stored in analog format, making reproduction expensive, unlike what full digitization with native digital archives and standard conservation would allow. Court of Auditors, with Resolution no. 84 of May 30, 2025 (Piedmont Regional Control Section, 2022 financial year), analyzed the practices for issuing copies of medical records, highlighting a strong disparity in pricing and application among healthcare companies.

Only the City of Turin Local Health Authority (ASL) has declared compliance with the ECJ ruling, issuing the first copy of the medical record free of charge; another company has expressed its intention to comply as soon as the development of the digital medical record is completed. The Regional Section hopes for the uniform application of EU case law.

Request management, request limits and operational solutions

A correct interpretation of the regulatory framework, also in light of the Garante's FAQs, requires a distinction between the right to access personal data and access to documentation. Article 15 of the GDPR concerns personal data, not necessarily all documentation.

Triaging of requests and the role of the DPO

Healthcare facilities should adopt clear procedures to distinguish:

• explicit requests for a free first copy pursuant to Article 15 of the GDPR, which must lead to free release;
• generic requests, for which the data controller must contact the applicant and clarify whether they intend to exercise the right to access personal data or access to documents;
• requests made pursuant to Law 241/1990, for which company rates apply.

The Data Protection Officer (DPO) must coordinate these flows, ensuring a response within the deadlines of Article 12 of the GDPR. The offices responsible for reproduction must record in an internal register the issuance of the "first copy" for each file and for each data subject, a requirement for legitimizing any fees for subsequent copies.

Digital processes, automation and supporting technologies

The most effective solution to contain the cost of the first free copy is to optimize internal processes and accelerate digitalization. Some key levers:

• Automation: use of management software that automates the search, extraction and generation of copies of folders.
• Digital identity: use of SPID/CIE to submit requests and access the Electronic Health Record.
• Training: specific training on the different access regimes pursuant to the GDPR and Law 241/1990.

The adoption of digitally native electronic health records, transmission via certified email, secure email, or dedicated portals, and systematic attachment to the Electronic Health Record reduce marginal costs and formal requests for copies. Measures to limit manifestly unfounded or excessive requests are provided for in Article 12, paragraph 5 of the GDPR, which allows the controller to charge a reasonable fee or refuse repetitive requests, provided they can demonstrate their excessive nature.

WhatsApp Business and Healthcare GDPR: Impact on Marketing and Business

WhatsApp Business and GDPR for healthcare go beyond legal compliance; they directly impact the marketing, communications, and positioning of healthcare organizations and businesses. How data access, patient transparency, and the digitalization of workflows are managed impacts brand perception and trust.

A facility that communicates clearly, uses modern channels (websites, portals, app notifications, and conversational channels), and makes requests such as copying medical records simple, demonstrates attention to customer experience. In this context, WhatsApp Business It can become a communication channel for:

• sending appointment reminders, notifications on the status of the request (without transmitting sensitive data in clear text);
• automated information support via chatbot on rights, deadlines, and required documents;
• gathering feedback on the quality of services and the patient journey.

For private healthcare companies, clinical groups, outpatient clinics, and insurance companies, WhatsApp Business and GDPR-compliant management allows you to integrate the channel into healthcare CRMs, track interactions, and orchestrate prevention or recall campaigns in a manner that complies with regulations and consent requirements.

Business opportunities arise from improved loyalty, increased patient satisfaction, and reduced front-office costs, thanks to the automation of repetitive requests and information. The key is to rigorously separate marketing communication flows from those involving the exchange of healthcare data, adopting appropriate policies, information, and technical tools.

How SendApp Can Help with WhatsApp Business and Healthcare GDPR

To manage WhatsApp Business and GDPR healthcare in a structured manner, healthcare organizations need professional platforms capable of integrating official APIs, automation, consent management, and centralized access control. This is where the SendApp ecosystem comes in.

With SendApp Official, organizations can use the Official WhatsApp Business APIs To orchestrate scalable and secure communications: appointment notifications, test reminders, and alerts on document availability, always in compliance with WhatsApp policies and GDPR. Integrations with healthcare management and CRM systems allow data to be kept within controlled infrastructures, reducing the risk of misuse.

SendApp Agent It allows you to manage patient conversations as a team, with chat assignments, custom tags, internal notes, and reporting. The front office can thus respond consistently and tracked to information requests regarding access rights, application status, and clinical pathways, leaving any sensitive healthcare data outside the channel, which should travel via more secure channels.

For more advanced scenarios, SendApp Cloud It offers marketing automation and omnichannel workflow capabilities: it is possible to configure journeys that, with prior consent, inform the patient about periodic check-ups, prevention campaigns, or service updates, integrating WhatsApp Business with email, SMS, and other touchpoints, always in line with security and privacy requirements.

In a context where the right to access healthcare data is becoming increasingly central and digitalization is accelerating, adopting a structured platform like SendApp allows you to transform compliance into a lever of value: less time on repetitive micro-tasks, more focus on patient relationships and service quality. For healthcare organizations looking to evolve their communications and align WhatsApp Business with the healthcare GDPR, now is the ideal time to consider a dedicated consultation and start a free trial of SendApp solutions.