Doctolib in the spotlight of the supervisory authority


In the current annual report of the Berlin Commissioner for Data Protection and Freedom of Information, the supervisory authority reports on investigations into the Doctolib portal for doctors. According to the office, there were two factors that led to the initiation of an investigation into the company. The head of the German subsidiary Doctolib has dismissed all criticism. In this article, we took a closer look at the cause and the subject of the investigation.

Search and book doctor and therapy appointments online

The knee is thick, the back hurts, and also: has this mole always been so big? In such cases, it is better to contact a specialist. Anyone who then picks up the phone to make an appointment will in most cases have to take a close look at the calendar: Indeed, it’s only June, but the earliest free appointment with a specialist doctor is only at the end of November …

This or something similar has probably already happened to many readers. Often, there is nothing left but to accept the long waiting times or call one office after another all day long. How convenient there is something on the Internet!

Doctolib: In healthcare

This is how the French company advertises itself on its German-language website, which is run by a branch based in Berlin. Despite over four million users in Germany for a month this company does not necessarily say something to everyone right away. So what is Doctolib and why has the company been audited by the Berlin supervisory authority?

Doctolib is an e-health service provider, and more specifically, patients can use the online booking portal to make appointments with medical and therapeutic practitioners online. Patients can use the company’s website or their own mobile app to easily find a doctor’s office in a specific area using the search bar, and even book an online video consultation. Entering your approximate specialization and location is enough to display those of the approximately 300,000 registered medical and therapeutic practices that, for example, still have vacancies for the near future. All of this is free for patients.

Pretty practical! This is also what the administration of the Berlin Senate thought. In November 2020, in the midst of the corona crisis, the administration commissioned Doctolib to coordinate vaccination dates for Berlin citizens.

Reason for visit: Particularly sensitive

Another free specialist appointment can be booked quickly and easily via the portal. All you need is a Doctolib user account. It is not possible to make an appointment as a guest. Well, the user account is set up quickly. We only ask for your e-mail address, date of birth and telephone number to receive an appointment reminder via SMS.

Once you have finished setting up your account, all you need to do is provide information about how you are insured and the reason for your visit.

  • Reason for visit: new patient’s hip / knee / ankle.

You can choose from different categories of reasons for your visit. They vary from specialist to specialist. However, just skipping the “Reason for visit” tab does not work. This information is mandatory information required to book the appropriate appointment. Somehow understandable: medical practices need this information in order to make preparations if necessary or to be able to offer different appointments. For example, a simple blood donation does not require treatment by a medical practitioner, so an appointment is usually available much earlier than the first extensive examination of the painful knee.

Reason for visit “New patient hip / knee / ankle” has been entered and you can now make an appointment. This statement is also not difficult, it is not unpleasant, and it will not embarrass very few people. This may be different if you are looking for medical practices in other disciplines, if you have a medical issue that you don’t like to talk about.

  • Treatment specialist: urologist.
  • Reason for visit: urinary incontinence advice.

Doctors are bound by professional secrecy and have daily contact with particularly sensitive patient data. Health data is one of the special categories of data within the meaning of Art. 9 GDPR. There are much greater obstacles to lawful processing than in the case of ordinary personal data. If you enter a compulsory reason for visiting Doctolib, the user’s physical or mental health status can be determined at this point. Fortunately, only a selected doctor’s office learns about it.

Two references to data transfer in Doctolib

“Security analysts determined that the data was sent to a US company and thus to an uncertain third country.”

Such an allegation is found in the current annual report of the Berlin Commissioner for Data Protection and Freedom of Information of 2021 (chapter 6.6 of the report). The report shows that the reason for the initiation of the investigation by the supervisory authority was based on two factors.

One of such tips could be the test “”, which took place in the summer of 2021. It turned out that the Doctolib application was sharing sensitive information with two American companies, Facebook and Outbrain. When the application user closed the data protection declaration with “Allow”, the application regularly sent the so-called GET requests. In addition to your IP address, information about search queries was also transmitted in the cookies. So, if you searched for a urologist on the app and entered the reason for your visit as “Consultative vasectomy sterilization man,” this information has been shared with Facebook and Outbrain. Information on whether you have statutory or private insurance has also been shared with the platforms.

Doctolib reacted immediately upon disclosure of this vulnerability, deleted the responsible cookies, and instructed Facebook and Outbrain to immediately delete user health data that had been uploaded up to that point. After the test, Facebook confirmed that incorrect implementation of the tool led to inadvertent transmission of health data by Doctolib. However, they were sorted by the filter and not even processed by Facebook. According to Doctolib, the advertising platform Outbrain has also confirmed the deletion of the submitted user health data.

According to the Berlin supervisory authority, a data protection breach cannot be ruled out.

Big Brother Awards 2021

Last year, Doctolib won the Big Brother award in the “Health” category for not only this fault, but many other tipping points. The negative award is based on expert opinion, which goes beyond the cookies used by Doctolib. The approach to implementing the Doctolib system in interested medical practices was criticized. After expressing interest, a Doctolib employee should have access to the entire physician information system and the patient master record stored therein. Basically, a medical practice can make use of the processor.

“But this relationship of trust [zwischen Arzt und Patient:innen] will be breached in a criminal manner at the latest when Doctolib obtains data from patients from the physician’s system who do not make an appointment or even do not have an account with Doctolib, and when the persons concerned are not informed of such data transfer.

Second complaint: Vaccination visits

In addition to the possible data transfer to two US companies, the allocation of vaccination dates by the end of 2020 is also under investigation by the Berlin supervisory authority. In November 2020, the Berlin Senate Administration commissioned Doctolib to coordinate Corona vaccination dates in Berlin. Doctolib was supposed to act as a processor. The report shows that commissioning a private enterprise to perform this important task does not deserve criticism (point 1.3.1 of the report). But two facts, on the one hand, the order was not based on an order fulfillment contract, and on the other, Doctolib did not adhere to its limitations as a processor.

Inhabitants of Berlin who wanted to book a vaccination date online at one of the Berlin vaccination centers during the vaccination campaign in progress could not avoid Doctolib due to the lack of other solutions in this state. However, to use it, they had to create a user account with Doctolib. This resulted in a separate contractual relationship between the company and its users.

The processor becomes the controller

It is this independent contractual relationship between users and Doctolib that has now attracted the attention of the supervisory authority. The annual report says:

“The processing of company data in connection with the creation of a user account is therefore carried out for the performance of the contract concluded between the company and the user in question. As a result, the company resigns from the role of a processor for the responsible administration of the Senate and itself acts as a data protection officer. “

According to the report, the Berlin supervisory authority informed the Senate administration at an early stage. The report also states in harsh words:

“It is incomprehensible to us that the responsible Senate administration has so far ignored our repetitive instructions on how the company was involved as a processor to arrange visits to vaccination centers.”

According to the report, the Senate administration has now ensured that user accounts that were created for the sole purpose of scheduling immunization dates will also be deleted due to Doctolib meeting the target.

The Senate Administration, on the other hand, sees users’ responsibility to delete their own accounts when they no longer need them. The Berlin data protection officer was also involved in the coordination with the Doctolib provider. Any criticism that appeared in the annual report has been dismissed.

rejection of all criticism

The head of the German subsidiary Doctolib GmbH, Nikolay Kolev, has now dismissed any criticism from the Berlin commissioner for data protection and freedom of information. He told a German news agency that the company “stored data on highly secure servers.” They are located in Germany and France, so the data is not transferred to the USA. The company is not able to explain where the accusation came from in the annual report of the supervisory authority.

Doctolib also does not have direct access to patient data. They are encrypted.

Online visits or a proven method?

Let’s be honest: the idea of ​​Doctolib and centralized appointment scheduling for doctors via the web portal is basically effective and therefore very much appreciated. Searching for free appointments with a specialist nearby allows you to start the upcoming treatment faster. In addition, digitally booking appointments can also bring personal benefits to one or the other. For example, those who find it difficult to answer the phone due to inhibitions or embarrassment about the visit may be better able to overcome this threshold by making an appointment online. For some, clicking is easier than making a phone call.

But this lack of distortion also has its pitfalls, especially when it comes to particularly sensitive health data that we don’t generally want to disclose, or at least to a very specific group of people.

It remains to be seen whether and how the investigations will be endorsed by the Berlin supervisory authority. Everyone has to decide for themselves whether they use the internet portal to make an appointment with a doctor or prefer a dusty phone.

Leave a Comment