← All articles·GDPR & rights

GDPR and health: your 6 rights over your medical record

Access, rectification, erasure, portability, objection, restriction. How to effectively exercise each of your GDPR rights over your health data.

7 min read

In 2 sentences. GDPR gives you 6 rights over your personal data, including health data (considered "sensitive"). Here's how to exercise them, with the exact texts and the timeframes to know.

Before we begin: who is concerned?

GDPR (General Data Protection Regulation, EU 2016/679) applies to any organisation processing personal data in the EU. For your health data, this concerns:

  • Your primary care physician, your specialists, your pharmacist
  • Hospitals, clinics, laboratories, radiology centres
  • The French health insurance system (CNAM), your supplementary insurer, Mon Espace Santé
  • Health applications (including My Data My Care)
  • Connected health devices and their vendors

Health data is classified as "sensitive data" under GDPR article 9: its processing is in principle forbidden, except under strictly framed exceptions (explicit consent, provision of care, public interest in health).

Right 1 — Access (article 15)

You have the right to know what data is held about you, for what purposes, with whom it is shared, and how long it is kept.

How to exercise it

Send a written request (email is sufficient) to the data controller or the DPO (Data Protection Officer). Mention: "I request, on the basis of GDPR article 15, the communication of the data concerning me."

Response time

1 month, extendable to 3 months for complex requests. Free (except for repetitive requests).

Right 2 — Rectification (article 16)

If your data is inaccurate or incomplete (wrong date of birth, incorrect allergy, wrong history), you can request correction.

Special case of the medical record

The clinical observations of a doctor cannot be "rectified" by the patient — they are the expression of a protected medical opinion. But you can request the addition of a contradictory observation ("patient comment"), which will remain in the record.

Right 3 — Erasure (article 17)

Also known as the "right to be forgotten". You can request the deletion of your data in certain cases:

  • When it is no longer necessary for the original purpose
  • When you withdraw your consent
  • When the processing is unlawful
  • When you reach medical majority and data was collected during your minority

Important limits

Health data has a legal retention period (20 years after the last procedure, French Public Health Code). You can request its erasure, but the controller may refuse on grounds of a legal obligation or a public interest in health.

Right 4 — Portability (article 20)

You can obtain your data in a structured, commonly used, machine-readable format and transmit it to another service.

In practice for health

The standard format is FHIR R4 (Fast Healthcare Interoperability Resources). All compliant health services must offer FHIR export. My Data My Care, for example, provides this export in 1 click from the app, with no procedure or justification required.

Important. This right applies only to data you have provided, or data generated by your activity (connected devices, appointments). It does not apply to clinical observations inferred by a doctor.

Right 5 — Objection (article 21)

You can object to a processing of your data for reasons relating to your particular situation. In health, this allows for example:

  • Refusing that your data feeds an epidemiological study
  • Refusing the automatic creation of your Mon Espace Santé (opt-out to activate on monespacesante.fr)
  • Objecting to transmission of your data to your supplementary insurer beyond what is strictly necessary for reimbursement

The controller may maintain processing if they demonstrate a compelling legitimate ground. For health, the public interest in public health may override your objection.

Right 6 — Restriction (article 18)

You can request the temporary freezing of a processing, for example while a dispute over the accuracy of data is being resolved. During restriction, your data is kept but no longer used.

Rights specific to health

Direct access to the medical record

Beyond GDPR, the French Public Health Code (article L. 1111-7) gives you a right of direct access to your medical record, without going through an intermediary doctor. Timeframe: 8 days (recent records) to 2 months (old archives).

Post-mortem directives

Since the 2016 law, you can designate during your lifetime a person who will have access to your health data after your death, or conversely request immediate erasure.

What to do if refused or ignored?

If the controller does not respond within 1 month or refuses without valid grounds, you can:

  • File a complaint with the CNIL — free, online at cnil.fr. Response time: 3 to 6 months.
  • Seise the judicial court — in serious cases, to obtain damages.
  • Seise a mediator — some supplementary insurers and organisations have a dedicated mediator.

MDMC's commitments regarding these rights

At My Data My Care, these 6 rights are exercisable directly from the application:

  • Access — everything is permanently visible in your passport
  • Rectification — direct editing of your profile, history preserved
  • Erasure — account deletion in 1 click, irreversible erasure within 30 days
  • Portability — full FHIR R4 export in 1 click
  • Objection — any optional processing is individually disableable
  • Restriction — activatable "read-only" mode

To exercise your rights outside the app: dpo@mydatamycare.com. Response within 1 month maximum.

Ready to take control of your data?

Create your free health passport. 5 minutes to get set up, a lifetime to benefit.

Create my free passport

Read next

Understanding Mon Espace Santé

The official patient portal.

DMP, MES, vaccination record: who does what?

Untangle the confusion.

MDMC security & sovereignty

Zero-knowledge architecture.