Can my doctor share my medical records?
Verdict: Care team yes — everyone else needs your say-so or a law
Health data is the most protected category there is. Sharing inside your treatment is normal; sharing with employers, insurers or family needs your explicit consent or a specific legal gate — and you can see your file.
Health data sits in Art. 9 — prohibited to process except through narrow gates, of which treatment itself is the big one: doctors, hospitals and pharmacists involved in your care share what care requires, under professional secrecy. National e-health record systems run on their own statutory gates and almost always give you opt-outs and access logs — checking who opened your record is a right worth using; snooping staff get fired and fined across Europe. Where your explicit consent is required: your employer (a doctor may confirm fitness for work at most where occupational-health law says so — diagnoses never travel to HR), private insurers (they may ask you to authorise disclosure; read the scope of what you sign and narrow it), family members (adult records are closed to relatives without consent, safeguarding emergencies aside), researchers (consent or a specific national research gate with safeguards). Your access: Art. 15 covers your full file including notes and images — expect a copy within a month; national patient-rights laws often add faster or broader routes. Coming: the European Health Data Space — EU rules phasing in over the next years to make records portable across borders for your treatment, with secondary research use under opt-outs; timelines on What’s changing. A breach of medical confidentiality is simultaneously a GDPR case, a professional-discipline case and often a crime — report on all three tracks; the DPA is the easiest to start.
Verified against the sources above on 18 July 2026. Information, not legal advice.