In short: AI medical documentation is legal in Denmark. The law does not prohibit using AI as a support tool to write a note. It does set requirements for responsibility and data protection - and we cover those here.
Who is responsible for the record?
Responsibility lies with the authorised clinician - not with the tool. The AI produces a draft. The clinician reads it through, corrects it and approves it before it is saved. The duty to keep records applies unchanged. An AI tool does not change who is accountable for the content.
What does GDPR require?
Patient data is sensitive personal data. The processing must have a valid legal basis under the General Data Protection Regulation (GDPR), including the rules on special categories of data in Article 9. In practice, the data is processed as part of your treatment of the patient.
You must be able to document how data is processed, and process only what is necessary. This is known as data minimisation.
Do you need a data processing agreement?
Yes. When you use an external AI provider to process patient data, the provider acts as a data processor. GDPR (Article 28) then requires a data processing agreement between the clinic and the provider. The agreement sets out, among other things, where data is processed, how it is secured and when it is deleted.
At People's Clinic, data is processed within the EU, and you receive a data processing agreement as part of the setup. Read more under data and security.
Does the patient need to be informed?
The patient must be informed that an AI tool is used to support the documentation. It is good practice for the consent to be noted in the record. The transcription is deleted after up to 90 days, while the finished note remains in your record system under your control.
Where may data be processed?
Sensitive patient data must be processed within the EU/EEA or under equivalent protection. People's Clinic processes data within the EU. The data is not sent to US jurisdiction.
What about the EU AI Act?
The EU's AI regulation (AI Act) sets requirements for AI in the healthcare sector - including on transparency and accountability. Which requirements apply to AI in the clinic, and what you as a clinic should be aware of, we look at more closely in a separate guide.
This guide is general information about the rules - not legal advice. If you are unsure about your clinic's situation, seek specific advice. The relevant authorities are Datatilsynet (the Danish Data Protection Agency) and Styrelsen for Patientsikkerhed (the Danish Patient Safety Authority).