Skip to main content
Book a demoBook a demo

E-Rezept & GDPR: What Every German Pharmacy Must Know (2026)

6 min read

The E-Rezept doesn't just change how prescriptions are processed — it changes your data protection obligations. Every E-Rezept your pharmacy handles contains health data, which is classified as a special category of personal data under GDPR. That single fact triggers a specific set of legal requirements that go beyond standard customer data rules.

Most pharmacy teams are confident their AVS handles the technical side correctly. Far fewer have clarity on the legal side: which GDPR articles apply, whether their software contracts actually comply, what the 100-day retention rule means in practice, and what the connection between E-Rezept and the new electronic patient record (ePA) means for patients who ask questions.

This guide covers exactly that — the concrete GDPR obligations your pharmacy has under the E-Rezept system, written in plain language, not legal jargon.

Why the E-Rezept Is a GDPR Matter

Prescription data is health data. Health data is a special category of personal data under Article 9 of the GDPR (DSGVO). This is not a grey area — it is the most sensitive category of personal data recognised in EU law, sitting alongside genetic data, biometric identifiers, and data revealing ethnic origin or religious belief. What this means in practice: the ordinary legal bases for processing personal data — such as legitimate interests or implied consent — do not apply. You need an explicit legal basis that specifically permits processing of health data, and you must be able to demonstrate it.

Your Legal Basis for Processing E-Rezept Data

Pharmacies processing E-Rezept data operate under a dual legal basis — one required by GDPR, one by German national law:

Article 9(2)(h) GDPR — Healthcare provision

Processing health data is permitted when it is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care or treatment, or the management of health care systems. This is the primary legal basis for your E-Rezept processing.

§22 BDSG — German national implementation

In Germany, §22(1)(1)(b) of the BDSG explicitly permits processing of health data in healthcare contexts, subject to appropriate safeguards. Together, Art. 9(2)(h) GDPR and §22 BDSG form the two-part legal foundation.

You do not need individual patient consent to process E-Rezept data — the healthcare provision ground covers the dispensing workflow. However, consent may be required for secondary uses of that data (e.g., marketing).

⚠️ Never use prescription data for marketing purposes without a separate, freely given, specific consent — and even then, seek legal advice. This is a high-risk area under both GDPR and the HWG.

The Data Processing Agreement Your AVS Provider Must Have

If your pharmacy management software (AVS) provider processes patient data on your behalf, you are legally required to have a signed Data Processing Agreement (DPA — Auftragsverarbeitungsvertrag, AVV) with them under Article 28 GDPR.

What is a DPA?

A DPA is a contract between you (the data controller) and your software provider (the data processor). It sets out what data they process, for what purpose, under whose instructions, and what security measures they implement. Without a signed DPA, your software contract is not GDPR-compliant.

Who needs a DPA with you?

Your AVS provider, any cloud-based service storing patient data, third-party analytics/CRM tools, IT service providers with data access, and any online pharmacy platform/app provider.

Data Retention: The 100-Day Rule Explained

E-Rezept data stored on the central E-Rezept-Fachdienst follows a specific retention schedule established by gematik:

  • Redeemed E-Rezepts: Stored for 100 days after redemption, then automatically deleted from the Fachdienst.
  • Unredeemed E-Rezepts: Deleted 10 days after the last possible redemption date.
  • Pharmacy enrichment data: When your pharmacy marks a prescription as redeemed and adds dispensing details, this enriched data is stored as part of the 100-day record.

The Fachdienst handles its own deletion schedule automatically. What you do manage is your local AVS records. Ensure your AVS retention settings are configured correctly for billing and documentation purposes under ApBetrO.

The ePA Connection

Since the rollout of the new electronic patient record (ePA) from early 2025, E-Rezept information is automatically copied into the patient's ePA by default. This happens unless the patient has actively opted out of their ePA or specifically opted out of the 'digital medication process support' function. Train your team to explain the ePA data flow clearly: the ePA copy is automatic by default, controlled by the patient's ePA settings, and managed separately from the E-Rezept-Fachdienst.

Your GDPR Obligations at a Glance

GDPR / DSGVO ObligationWhat It Means for Your Pharmacy
Art. 9 GDPR — Special category dataPrescription data is health data. You need a specific legal basis beyond standard Art. 6 consent — typically Art. 9(2)(h) + §22 BDSG.
Art. 28 GDPR — DPAYou must have a signed DPA (AVV) with your AVS provider, any cloud service, and any third-party system.
Art. 13/14 GDPR — TransparencyYou must inform patients how their data is processed — via a visible privacy notice at the counter and website.
Art. 32 GDPR — Technical measuresTI connection security, encrypted data transfer, access controls on your AVS. ECC connector upgrade is part of this.
Art. 35 GDPR — DPIARequired if you process health data at scale or use new technologies. Not required for standard E-Rezept redemption.
§38 BDSG + Art. 37(1)(c) — DPOMandatory if 20+ persons in automated processing, or if core activity is large-scale health data processing.

Technical & Organisational Measures: What You Must Have

Article 32 GDPR requires appropriate technical and organisational measures (TOMs) to protect personal data.

Technical measures

Active TI connection with current connector firmware, encrypted data transmission, role-based access controls on your AVS, secure workstations at dispensing counters, and regular software updates.

Organisational measures

Staff training on data protection, a documented data retention policy, a privacy notice visible at the counter, a process for handling Subject Access Requests (SARs), and a data breach response plan.

Frequently Asked Questions

Is the E-Rezept system itself GDPR-compliant?

Yes. Gematik operates the E-Rezept-Fachdienst within the EU/EEA. The TI encryption standards and data deletion schedules are designed to meet GDPR requirements. Your obligations are to manage your local processes correctly.

Can I share patient prescription data with a marketing partner?

No — not without a separate, explicit, freely given patient consent. The healthcare provision ground that covers dispensing does not extend to marketing uses.

What happens if there is a data breach involving E-Rezept data?

You must notify your competent state data protection authority (Landesdatenschutzbehörde) within 72 hours of becoming aware of the breach. You may also need to notify affected patients directly.

A patient asked me to delete their E-Rezept data. What do I do?

Patients have the right to erasure under Art. 17 GDPR, but billing records and dispensing logs required by law (ApBetrO) cannot simply be deleted on request. Assess each request against your documented retention policy.

About Mediloon

Mediloon is a Leipzig-based healthtech company building digital infrastructure for German pharmacies — including E-Rezept integration, pharmacy apps, Click & Collect, Botendienst coordination, and the Medi AI assistant. This article is part of Mediloon's pharmacy digitalisation guide series. It is intended as general operational and regulatory information. For specific legal or compliance queries relating to AI systems in your pharmacy, consult your regional Apothekerkammer or a qualified legal advisor.