GDPR for dental practices in Belgium

Dentists process special categories of personal data (health data) and are therefore subject to the strictest GDPR rules. The GBA/APD, the Belgian data protection authority, holds healthcare providers to higher expectations than ordinary SMEs.

This guide covers the practical obligations for a Belgian dental practice: the correct legal basis for patient data, the retention periods from the Quality Act, the processing register, the breach notification duty and the requirements for your practice website. Want to know quickly whether your practice website passes? Run the free scan and you get an instant overview of the risk points.

---

Patient data as a special category

Everything you keep about a patient is potentially health data: medical history, treatment reports, X-rays, medication details, allergies. These are special categories of personal data within the meaning of Article 9 GDPR.

The correct legal basis – a common mistake. Many practices believe they must have patients sign a consent form before they may keep a record. That is incorrect. Processing health data to provide care rests on Article 9(2)(h) GDPR (provision of health care), provided it is carried out by or under the responsibility of a professional bound by professional secrecy (Article 9(3)) – which a dentist is. Choosing consent as the basis is in fact risky, because a patient could withdraw it while you remain legally obliged to keep the record.

You do need explicit consent for processing outside the care relationship: newsletters, recall emails with commercial content, before-and-after photos on your website or social media.

Extra obligations for special categories:

• Keep a record of processing activities (see below, always mandatory for a practice)
• Appropriate technical and organisational security measures
• Strict access restriction: authorised staff only
• Processor agreements with practice software, lab portals and cloud providers – see our guide on the data processing agreement for your website

---

The e-health platform and Belpic

Belgian healthcare providers use the e-health platform for electronic prescribing, consulting patient records and communicating with health insurance funds. This platform is supervised by the eHealth agency and the GBA/APD.

Your obligations when using e-health:

• Use only registered and approved software packages
• Ensure secure access (two-factor authentication via eID or Itsme)
• Limit access to patient records to the treating care providers
• Document who has access and why

---

Retention periods: what the Quality Act really says

The retention period for patient records has been fixed by law since 2022 in Article 35 of the Quality Act (law of 22 April 2019 on quality healthcare practice), with Articles 33 to 35 in force since 1 January 2022. The rule is uniform: the patient record is kept for a minimum of 30 years and a maximum of 50 years, counted from the last patient contact.

Watch out for a persistent myth: the rule "keep minors' records until their 48th birthday" is not current law. That figure was an old prudential rule of thumb (18 years + 30 years) that was never written into the law, and the Quality Act has no separate rule for minors. Keeping records of young patients longer remains lawful as long as the maximum of 50 years after the last contact is not exceeded – a defensible cautious practice, but not a distinct legal obligation. See also the FAQ of the Order of Physicians on the retention of patient records.

After the retention period expires, records must be destroyed securely.

Practical: applying the 30-to-50-year rule in your practice. Make sure your practice software records the date of the last contact per patient – that is the legal starting point of the period, not the date of first registration. Plan an annual clean-up round in which you identify records that have reached the period you have chosen (pick one fixed period between 30 and 50 years and document it in your processing register), and document the destruction: what, when and how. A patient who returns after years starts a new clock from the new contact.

---

Breach notification duty

A data breach is any breach of security that leads to, or could lead to, the loss, unauthorised access or disclosure of personal data.

Examples in a dental practice:

• Hacking attack on your practice software
• Stolen or lost laptop containing patient data
• Fire or water damage destroying paper records
• Email containing patient data sent to the wrong recipient

Procedure:

1. Establish the breach and document the facts
2. Assess the severity: how many patients, what data, what risk?
3. Report within 72 hours to the GBA/APD, in line with Article 33 GDPR, via the notification page on gegevensbeschermingsautoriteit.be (in French via the APD contact page)
4. If there is a high risk for patients: also inform the affected individuals directly

Do not forget mailbox hygiene. On 12 May 2026 the GBA/APD announced three fines, including €176,000 for an employer that kept a former employee's mailbox active for roughly a year. Translated to a practice: close the accounts of departed assistants or fellow dentists immediately and set up a clean referral message.

---

How big is the enforcement risk really?

There is no published GBA/APD decision against a Belgian dental practice between 2023 and 2026. The €10,000 fine for refusing access to a patient record that circulates in the sector is a decision by the French authority (CNIL), not by the GBA/APD – do not treat it as a Belgian precedent.

The real risk lies elsewhere: the generic obligations are enforced against comparable SMEs, and one unhappy patient is enough to open a file. The GBA/APD works complaint-driven, and Decision 87/2024 shows how fast it can go – a company that kept sending marketing messages after an erasure request and objection received a fine of €172,431 in a case that started with a single complaint from a single customer over €1.50. For a practice that sends recall messages, birthday emails or newsletters, the lesson is simple: honour every objection and every erasure request (within the limits of your legal retention duty) immediately and demonstrably.

---

Your dental practice website

Your practice website processes personal data as soon as it has a contact form or an online appointment system.

Mandatory:

• Privacy policy reachable via the footer: describes the data processing for patient contact and appointments
• Cookie banner if you use analytics (Google Analytics), because patients' IP addresses are personal data – and the fact that someone visits a dentist's website can already reveal something about their health
• Company number (KBO/BCE) visible in the footer, a legal requirement for all Belgian businesses
• Secure contact form over HTTPS

Strict rules apply to the cookie banner in Belgium: the GBA cookie checklist (October 2023) requires a "reject all" button on the first layer that is as prominent as "accept all", prohibits pre-ticked boxes, and states that even first-party analytics require consent. Our guide to the cookie banner requirements in Belgium covers the full checklist. Pay particular attention to the booking module – the reason for the visit ("extraction", "periodontitis") is health data, so never route it through analytics or marketing tools.

---

Record of processing activities: always mandatory for a practice

In practice a dental practice must always keep a record of processing activities. The exemption in Article 30(5) GDPR for organisations with fewer than 250 employees does not apply when the processing of special categories of data is not occasional – and keeping patient records is by definition structural processing of health data. The GBA/APD confirms this in its FAQ brochure for SMEs: the exemption is interpreted very restrictively.

The register describes which data you process, for what purpose, by whom, for how long, and which security measures you take.

---

Practical checklist for dentists

---

Common questions

Are dental records special category personal data under GDPR?

Yes. Patient data including medical history, treatment reports, X-rays and medication details are health data, special categories of personal data within the meaning of Article 9 GDPR. They require extra protection.

How long must I keep patient records as a dentist in Belgium?

Article 35 of the Quality Act (law of 22 April 2019, with Articles 33 to 35 in force since 1 January 2022) sets one uniform rule: the patient record is kept for a minimum of 30 years and a maximum of 50 years, counted from the last patient contact. There is no separate legal rule for minors.

Do I need the patient's explicit consent to keep their record?

No, not for the treatment itself. Processing health data to provide care rests on Article 9(2)(h) GDPR (provision of health care), carried out by or under the responsibility of a professional bound by professional secrecy (Article 9(3)). Explicit consent is needed for other purposes, such as marketing or a newsletter.

Am I obliged to report a data breach to the GBA/APD?

Yes. If there is a breach of the security of personal data (for example a hacking attack, a lost laptop or a fire in the archive), you must report it to the GBA/APD within 72 hours. If the breach poses a high risk to patients, you must also inform the patients directly.

---

Check your practice website for free

Scan your website for free →

See also our GDPR checklist for Belgian businesses for the obligations that apply to every Belgian website.

Sources

• Regulation (EU) 2016/679 (GDPR), Article 9 (special categories) and Article 33 (breach notification) (eur-lex.europa.eu)
• Quality Act of 22 April 2019, Art. 35 (ejustice.just.fgov.be)
• Order of Physicians, FAQ on the retention of patient records (ordomedic.be)
• Domus Medica, entry into force of the Quality Act (domusmedica.be)
• Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (ejustice.just.fgov.be)
• GBA/APD, FAQ brochure for SMEs (processing register) (gegevensbeschermingsautoriteit.be)
• GBA, Sensitive data (health) (gegevensbeschermingsautoriteit.be)
• GBA cookie checklist, October 2023 (gegevensbeschermingsautoriteit.be)
• APD, Decision on the merits No. 87/2024 (autoriteprotectiondonnees.be)
• GBA, the Litigation Chamber imposes 3 fines, 12 May 2026 (gegevensbeschermingsautoriteit.be)
• GBA, reporting a data breach (gegevensbeschermingsautoriteit.be)
• APD, contact page (breach notification unit) (autoriteprotectiondonnees.be)
• eHealth agency (ehealth.fgov.be)
• FPS Economy, retention of accounting books and records (law of 20 November 2022) (economie.fgov.be)

---

This is technical analysis, not legal advice. Consult a qualified lawyer for specific legal guidance.