A lengthy discussion about the digitization and modernization of the German healthcare system is followed by the obligation for health insurance companies to introduce electronic patient records (ePA). This regulation faces resistance from Germany’s highest data protection authority (BfDI). On the basis of relevant commentary literature and considering the arguments put forward by the stakeholders this study examines, whether the criticism of the authority is justified and whether a violation of the GDPR could lie in the implementation of the ePA. As a result of the study, no such violation can be determined. Especially the conditions for the effectiveness of consent to data pro-cessing are given. The introduction of the German ePA will take place in two stages, with the second stage including improvements regarding data protection. Thus, the result of the work can also be applied ‚a maiore ad minus‘ to the second stage which is planned for 2022. It remains unclear whether the data protection authority (BfDI) will take further legal measures. This study affects also other research topics, such as the „right to data processing“ or the role of German data protection authorities in legislative processes.