Professional secrecy and the GDPR. what healthcare providers need to know

In healthcare, trust is everything. That trust begins with a promise: that what’s shared in confidence stays in confidence.

But what happens when that promise meets the rules of the GDPR? Where does professional secrecy end, and data protection begin? And when, if ever, are you allowed to speak?

Let’s clear the confusion. This blog explores how professional secrecy in Belgium intersects with the GDPR, and what care providers must consider when handling personal data, legally, ethically, and operationally.

1. What is professional secrecy?

Professional secrecy (or beroepsgeheim) isn’t just tradition. It’s the legal foundation for confidentiality in the care sector. Incorporated in Belgian criminal law, it applies to anyone who, by virtue of their role, gains access to personal secrets, from doctors and nurses to psychologists, pharmacists, and even administrative staff in medical settings.

This is not limited to what a patient says. Any information obtained in the course of care, including what is observed, documented, or learned indirectly, is covered.

Importantly, professional secrecy applies beyond the patient’s lifetime. It’s not something you can shrug off after treatment ends or records are archived. This makes it distinct from the GDPR, which no longer applies to the data of deceased individuals.

How does the GDPR interact with professional secrecy?

On the surface, professional secrecy and the GDPR seem aligned: both aim to safeguard sensitive personal data.

But they’re not interchangeable.

The GDPR is a European regulation that applies broadly to the processing of any personal data, whether medical, financial, behavioural or otherwise, across all sectors. It’s about how data is collected, used, stored and shared. It applies to organisations, public and private, and sets clear rules for transparency, purpose limitation, and data minimisation.

Professional secrecy, on the other hand, is narrower in scope, but deeper in duty. It binds individuals, not organisations. And its focus is not just compliance, but silence, unless a legal basis for disclosure exists.

Where the GDPR might offer room to process data with consent or legitimate interest, professional secrecy doesn’t flinch. If you’re bound by it, you stay silent, unless the law explicitly allows you to speak.

That’s where the nuance begins.

2. Is silence always required?

Most of the time: yes.

But there are lawful exceptions. Belgian law provides specific situations where professional secrecy may be broken, though even then, it’s never obligatory to do so.

You may be allowed to disclose confidential information if:

• You are compelled to testify in court or before a parliamentary commission.
• A specific law requires or permits the disclosure (e.g. child protection reporting).
• The information is shared with another care provider involved in the patient’s treatment, and who is themselves bound by secrecy.
• The patient has given informed consent. The patient must receive all the relevant information in plain, understandable language. That includes the risks of disclosure, who will receive the data, and their rights (including the right to withdraw consent at any time).
• There’s an overriding legal basis that justifies disclosure in the public interest.

Each case requires careful assessment. The golden rule? If you’re in doubt, don’t share. Legal advice and data protection officers exist for this reason.

What if you get it wrong?

Disclosing confidential information without legal basis is a criminal offence in Belgium, recently redefined under Article 352 of the new Penal Code.

Gone are the long lists of professions. Instead, the law now refers to “any person who, by reason of their status or profession, holds entrusted secrets.” That means the scope is broader, and so is the responsibility.

To be considered a breach of professional secrecy, five conditions generally apply:

1. The information is confidential.
2. The person concerned is identifiable.
3. The disclosure was intentional (malicious intent is not required).
4. It was shared with a third party (yes, authorities count).
5. The discloser was professionally bound to secrecy.

Consequences? They range from disciplinary sanctions to criminal penalties, including fines and imprisonment, depending on severity and intent.

3. What about GDPR compliance? Is that enough?

No, and that’s where organisations often get caught out.

Just because you’ve ticked all the GDPR boxes, consent forms, privacy notices, secure systems, doesn’t mean you’re in the clear under professional secrecy law.

Take this example: a healthcare organisation develops a new patient app. They include all the standard GDPR safeguards. But if that app routes confidential information to staff who aren’t directly involved in care, or worse, external providers not bound by secrecy, they may be in breach of criminal law, regardless of GDPR compliance.

GDPR sets the rules for processing. Professional secrecy defines the ethical and legal limits of disclosure. The two must work together, but they are not substitutes.

4. When can professional secrecy be broken?

Contrary to popular belief, professional secrecy in Belgium isn’t absolute. The duty to remain silent is strong, but not unshakeable. In very specific, exceptional cases, a care professional may be allowed (or even required) to share confidential information.

However, the threshold is very high. Disclosure must always:

• Serve a clear legal or ethical justification.
• Be limited to what is strictly necessary.
• Be shared only with relevant parties.

Here’s a closer look at the main exceptions:

1. Testifying in court

If you’re officially called to testify in court or before a parliamentary committee, you’re permitted to speak, but not obliged. Requests from police or insurers do not carry the same legal weight and do not justify breaking secrecy.

2. Legal obligation to report

Some laws require healthcare providers to disclose certain data, such as reporting work-related injuries or supplying information to the RIZIV. These legal duties override professional secrecy in scope and priority.

3. Explicit patient consent

Patients have increasing control over their personal data. With informed, explicit consent, a care provider may share specific information with others, including other providers. Consent must be free, informed, specific and documented.

4. Imminent danger or “noodtoestand”

If there’s a serious, imminent threat to the life or health of the patient or others, and disclosing information is the only way to prevent harm, secrecy may be broken. This is known as “state of necessity” (noodtoestand). It must be used cautiously, and ideally backed by peer consultation or advice from the Orde der Artsen.

5. Suspected abuse or crimes against vulnerable people

If a provider reasonably suspects abuse, exploitation, or neglect (especially of minors or vulnerable adults) they may report this to the public prosecutor. In some cases, they may even be obliged to do so under Article 458bis of the Penal Code.

6. Multidisciplinary case management

Since mid-2023, care providers involved in structured multidisciplinary consultations (e.g. around intrafamily violence, child abuse or terrorism) may exchange information, but only under strict conditions, and with safeguards in place to limit scope and relevance.

5. What should healthcare providers do?

Professional secrecy is not an outdated concept. It’s a modern-day imperative, one that reinforces patient trust and legal integrity. But as data flows more easily and systems grow more complex, the risks of unintentional disclosure are higher.

Here are some best practices:

• Review internal data flows against both GDPR and professional secrecy obligations.
• Ensuring all staff (not just clinicians) understand the limits of their access and the boundaries of disclosure.
• Embedding these duties into digital systems and data governance structures.
• Consulting legal and data protection experts before introducing new platforms, apps or third-party partnerships.