Skip to content

What GDPR actually requires from a clinic website in 2026 (and what an auditor checks first)

11 min readIntermediate

A booking form, patient reviews, a chat with reception, marketing pixels. Every one of these is processing patient data. Here is what GDPR really requires from a clinic website, what an auditor checks first and how to do it so the site keeps selling.

A clinic website is not a brochure. The patient types a phone number into a booking form, leaves an email address when signing up for the newsletter, clicks 'I agree' on cookies, sometimes sends a question about a specific condition through a chat with reception. Every one of these is processing of personal data. Some of it is a special category of data.

Nobody needs a lecture on GDPR. You need to know what gets checked first, where the real gaps are on 90% of clinic websites in Poland, and what to fix so the site keeps selling appointments effectively. No theorising.

What GDPR actually has to do with a clinic website, and what you only think it does

A clinic website touches GDPR in five specific places:

  1. The appointment booking form (phone, email, sometimes the reason for the visit).
  2. The contact form or chat with reception (patient questions, often with a description of symptoms).
  3. The patient reviews section (first name, sometimes surname, photo).
  4. Cookies, marketing pixels and analytics (Meta, Google Analytics, Hotjar, TikTok).
  5. Server logs, backups and every subcontractor with access to this data (hosting, agency, mailing tools).

A static site with three subpages and an email address in the footer has a minimal scope of obligations. A site with online booking, a calendar, reviews and an advertising pixel has far more. Most private clinics are closer to the second scenario, because those are exactly the elements that fill the calendar.

Patient data is not ordinary contact data

GDPR distinguishes ordinary data (name, phone, email) from special category data (health, sexuality, origin, biometrics, religion). The latter sits in Art. 9 and requires one of a few specific legal bases, not consent alone.

When a patient selects 'visit to a gynaecologist', 'oncology consultation' or 'root canal treatment' in the booking form, the specialty itself becomes information about health. At that moment we are in Art. 9. For a clinic the most common and safest basis is Art. 9(2)(h) GDPR: processing for the purposes of providing healthcare.

In practice this means two things. First: the patient does not 'consent to the processing of medical data in order to book a visit', because consent is not the right basis here. Second: they must know who processes the data, for what purpose, for how long and to whom it is passed on (laboratory, the national health fund, the practice management system). A notice under the form, clear and specific, covers all of it.

What an auditor checks first

A practical order, whether it is the supervisory authority, an internal auditor or an aware patient checking the clinic before a visit. Everything here can be checked without going inside the clinic's systems, from the website alone:

  1. The privacy policy (it exists, it is linked in the footer, it is tailored to this clinic rather than copied off the internet).
  2. An information notice under every form (booking, contact, newsletter, webinar sign-up). Short, but listing everything from Art. 13 GDPR.
  3. The cookie banner and how it behaves. Are consents off by default? Can I refuse just as easily as accept? Does the pixel load only after acceptance?
  4. The consents ticked in the form. Are they separated (marketing separately, newsletter separately, third party separately)? Is none of them pre-ticked?
  5. Contact details for the DPO (if the clinic is required to appoint a data protection officer) or the controller's details.
  6. The patient reviews section. Full names? Photos? Is there consent to publish?
  7. Site encryption (HTTPS on every subpage, not just the homepage) and the configuration of basic security headers.
  8. Files leaked from an old CMS or form, accessible at a public URL (surprisingly common).

This whole list is an hour of checking with no special tools. A patient armed with patience or with dissatisfaction will do it themselves. The authority starts from the same place.

A privacy policy copied off the internet is worse than no policy

No policy is a clear breach and is quick to fix. A copied policy pretends to be compliant, but inside it references entities the clinic never had, legal bases that do not fit, and retention periods taken from e-commerce. An auditor needs 5 minutes.

A privacy policy for a clinic differs from a shop's policy in several places. The legal bases are different (mainly Art. 9(2)(h), not consent). The data recipients are different (laboratories, the national health fund, the practice management system provider, possibly other facilities in the network). The retention periods are different (20 years for medical records, a dozen or so months for bookings that never happened). The patient rights are different (the right to a copy of medical records under the Patients' Rights Act runs in parallel with GDPR and has its own deadlines).

If the clinic's policy mentions a 'buyer', an 'order' or a 'courier' anywhere, it was copied from e-commerce. That is the first thing to cut.

Cookies and marketing: where most clinics fall down

A cookie banner in the 'we use cookies, OK' style stopped being compliant years ago, but it still lives on most clinic sites. Three rules an auditor checks first:

  • The marketing and analytics pixel loads only after explicit consent. Off by default, switched on by a deliberate action of the patient.
  • Refusal must be as easy as acceptance. A 'Reject' button at the same visual level as 'Accept', not hidden under 'Settings'.
  • Granularity of consents. Marketing separately, analytics separately, personalisation separately. One giant consent to everything does not meet the requirement that consent be freely given.

In practice, for most clinics an honest banner with three buttons (Accept all, Necessary only, Customise) and a simple integration with Consent Mode v2 on the Google side is enough. Implementation takes hours, not weeks. More important than the specific tool is the default: the pixel does not fire until there is consent.

Patient reviews: where PR ends and GDPR begins

Patient reviews are one of a clinic's strongest sales tools. Patients read them before choosing a facility. The problem starts at publication.

The review text itself ('great service, highly recommend') is neutral. But 'Anna Kowalska, root canal treatment' is already two kinds of personal data at once: identifying data and information about a health service. Publishing such a review requires the patient's freely given, separate consent to publish.

Good solutions that work for sales and are safe:

  • A reviews section in the form of thank-you notes ('Anna K., orthodontic treatment') after written consent. An initial and the general scope of the service.
  • A Google Maps reviews widget. The patient leaves a review in their own profile and the clinic only displays what is public anyway. No transfer of data from the clinic's systems to the site.
  • A video testimonial with a patient. Requires consent with a specific scope (voice, image, places of publication) and the right to withdraw consent in the future.

Google Maps reviews embedded in the site are, for 90% of clinics, the best version: they sell effectively, they are credible because the patient sees the star count and the date, and they require no special consent process from the clinic.

A patient newsletter: three traps

A newsletter is a good thing. Patients who came once come back. But a badly set up newsletter earns us both an administrative fine and the patient's distrust at the same time.

Trap 1: a pre-ticked consent

An 'I want to receive the newsletter' checkbox cannot be ticked before the patient clicks. A pre-ticked box is not consent within the meaning of GDPR, and every version of the supervisory authority's guidance confirms it.

Trap 2: one consent for everything

A consent 'to process data for booking, marketing and sending partner offers' is not one consent, but three glued into one. Separating them is usually an hour of work. Conversion usually does not drop, because a patient who wants an appointment ticks the first checkbox and does not think about it any longer.

Trap 3: no double opt-in

The patient leaves an email address, we send an email with a confirmation link, the patient clicks. Only then are they on the list. Filtering out typos, fewer spam complaints, better deliverability and an unambiguous evidence trail that the patient really did want the newsletter.

What a mistake costs

The maximum administrative fine under GDPR is EUR 20 million or 4% of annual turnover (the higher of the two applies). In practice the Polish authority has already imposed six-figure fines on medical facilities for patient data breaches. The more common route to trouble, though, is not a systemic inspection but a patient complaint.

The pattern is simple. A patient gets a newsletter they did not order, or sees themselves in a photo in the reviews section without consent, or receives information about their condition at the wrong address. They report it to the authority. The authority asks the clinic for an explanation, requests the record of processing activities, copies of consents and the policy. And that is when it turns out the policy is copied, the consents are glued together and there is no record.

An external audit of the site and processes runs into a few thousand zloty. An administrative fine and the cost of fixing things under time pressure are an order of magnitude higher.

The minimum plan: 8 things to fix this week

A list that closes 80% of the real risks for a typical clinic website:

  1. Review the privacy policy. Check that every word fits your clinic. Cut everything that does not.
  2. Add an information notice under every form (booking, contact, newsletter). Short, but specific.
  3. Turn off pre-ticked consents in forms. Each consent separately.
  4. Replace the cookie banner. The pixel loads only after consent. 'Reject' as visible as 'Accept'.
  5. Review the reviews section. Either switch to a Google Maps widget, or collect written consent for the ones already published.
  6. Turn on double opt-in for the newsletter if you do not have it.
  7. Check that HTTPS works on every subpage and that there are no old forms still wired to a former mailbox or CMS.
  8. Write down the list of entities with access to form data (hosting, agency, mailing, practice management system) and check that there is a data processing agreement with each.

The first four points can be done in a single day without developers. The rest need support from someone who knows the site from the inside, but still fit within a week.

GDPR does not block sales

The line most often repeated in practices: 'GDPR means I cannot show patient reviews or do effective marketing'. That is not true. You can do both, you just have to do it honestly.

A booking form with a correct information notice converts the same as one without it. A cookie banner with 'Reject' next to 'Accept' does affect the number of pixel consents, but that only means we have been collecting consents patients would not have given if they had a choice. A newsletter with double opt-in has a smaller base but a higher open rate and a lower bounce.

Well set up GDPR is invisible to the patient and invisible to the auditor. Badly set up, it goes off at both of those moments at once.

Instead of a summary

Most GDPR problems on clinic websites come from two sources: a policy copied off the internet, and marketing decisions made before anyone checked their legal implications. It is fixed quickly once you know where to look.

If you are planning a new clinic website, GDPR is cheapest to close at the design stage. See what a clinic website really costs in 2026 and how the decision between booking portals versus your own booking system plays out. In each of these scenarios GDPR looks different and costs different.

If you want to know how your site holds up

EPKO runs a GDPR audit of a clinic website as part of our Audit package. A scanner checks the technical side (HTTPS, headers, pixels, cookie banner), a checklist covers the visible elements (privacy policy, notices, consents, reviews). The result is a report with the three most important things to fix first and a list of smaller corrections. If you decide to work with us after the report, the audit price is deducted from the next package. You will find the current scope and price in our pricing, and to get started, leave your details on the contact page with a note 'clinic GDPR audit' and we will get back to you within one business day.

Frequently asked questions

Does a booking form require GDPR consent?
Usually not. If the booking leads to a health service, the legal basis is Art. 9(2)(h) GDPR (provision of healthcare), not the patient's consent. You do not need an 'I agree to data processing' checkbox here, but you do need a clear notice under the form: who processes the data, for what purpose and for how long. Keep consent for marketing, the newsletter and pixels.
What must a clinic website's privacy policy contain?
The identity of the controller and the DPO's contact details, the purposes and legal bases of processing (separately: booking, contact form, newsletter, cookies, monitoring), categories of recipients (laboratories, social insurance, the national health fund, processors), retention periods, patient rights and how to exercise them, information about any profiling and about the fact that medical data is not transferred outside the EEA. A policy copied off the internet never fits. It always needs tailoring to the specific clinic.
Can I publish patient reviews with full names?
Yes, but you need separate, freely given consent from the patient to publish. Ideally in writing, with the scope defined (first name and the first letter of the surname, first name only, initials, photo or no photo). Anonymous reviews or reviews pulled from Google Maps on the site also make sense, because Google reviews are a public set published by the patient, not a publication by the clinic.
How long can I keep data from a booking form?
As long as the purpose requires. For the booking itself, usually until the appointment day plus a short buffer (30 to 90 days) for a possible complaint or cancellation. If the patient became a patient of the practice, medical data has its own regime (20 years from the last entry in the medical records, under the Polish Patients' Rights Act). Form data alone (phone, email) kept for marketing requires separate consent and should be deleted on first request.
Are Google Analytics and the Facebook Pixel legal on a clinic website?
Yes, but only with a correct consent banner and configuration. The pixel loads only after the patient's explicit consent. A pre-ticked consent is not consent under GDPR. For Google Analytics it is also good practice to configure Consent Mode v2, IP anonymisation, and to think about whether you need this data in this form at all. For a clinic it is often not about pageviews, but about the number of bookings.
What are the consequences of not being GDPR compliant on a clinic website?
The maximum administrative fine is EUR 20 million or 4% of annual turnover (whichever is higher usually applies). In practice the Polish authority has already imposed six-figure fines on medical facilities for patient data breaches. The more common route to trouble, though, is not a systemic inspection but a patient complaint. One unhappy patient who notices their form data went further is enough to start proceedings.
Is a newsletter with health tips direct marketing?
Yes, and it requires separate, freely given consent (both under GDPR and, if you send by email, under the Telecommunications Act). A patient cannot be signed up 'along the way' on a booking form or 'by default' at the first visit. Good practice is double opt-in: the patient leaves an address and we send an email with a confirmation link. It also filters out typos.
Does a regulator audit always end in a fine?
No. The authority often issues a reprimand or an order to bring things into compliance, especially if the clinic cooperates and shows it is already fixing the gaps. A fine usually comes when there has been an actual patient data breach (a leak, access by an unauthorised person) or when the controller ignored earlier requests.

Related posts

Booking portals vs your own clinic booking system: economics and control

Each month you look at three invoices and ask whether it is time for your own booking system. The real economics of commissions, the hidden cost of control, and the threshold where building your own pays back faster than paying the portal one more year.

5/19/202611 min read

What a clinic website really costs in 2026: four tiers and what you actually buy

Real costs of a clinic website in Poland in 2026: from a 5,000 PLN business card to a full platform with online booking, SMS reminders and EHR integration.

5/15/202614 min read

NIS2 in 2026: who it applies to and what to do now

Poland transposed NIS2 in April 2026. We explain it without scaring you with fines: who it applies to, the timelines, and what to do in the first 30, 180 and 365 days.

5/14/202611 min read
View all posts