AI record-keeping requires two things under GDPR. A legal basis under Article 6 combined with the exception in Article 9(2)(h). And a written data processing agreement under Article 28 with the vendor that processes patient data. Both must be in place before the tool is taken into use. The clinic is the data controller and carries the responsibility.
What is the legal basis for AI record-keeping under GDPR?
Health data is a special category of personal data under Article 9. The processing requires two layers at once: a basis in Article 6 and an exception from the prohibition in Article 9. For the healthcare sector the exception is Article 9(2)(h): processing for the purposes of preventive medicine, diagnosis and treatment. It is the same basis the record already rests on. The AI tool does not extend the purpose. It supports the record-keeping the clinic is already authorised to carry out.
Data minimisation under Article 5 means the tool may only process the information the task requires. A dictation during the consultation should become a note - not a data source the vendor uses for something else. The purpose limitation applies throughout. Data collected for record-keeping may not be reused for product development or model training without an independent basis. That point should be set out in black and white in the data processing agreement.
The duty to keep records follows from the authorisation act and the records order, not from GDPR. The authorised practitioner carries the record responsibility and cannot delegate it to a tool. The AI tool produces a draft. The note must be read and approved before it stands as a record.
What is a data processing agreement, and when do I need one?
A data processing agreement is the written contract that GDPR Article 28(3) requires between a data controller and a data processor. If an external AI vendor processes patient data on the clinic's behalf, the vendor is the data processor and the clinic is the data controller. The agreement must be concluded before processing begins. It binds the vendor to process data only according to the clinic's documented instructions.
That binding is what distinguishes a data processor from an ordinary vendor. Without the agreement, the vendor can in principle process data for its own purposes, and the clinic cannot document to Datatilsynet that the processing happens under control. The responsibility for having the agreement in place lies with the clinic as data controller - not with the vendor. If the agreement is missing, it is the clinic that is liable.
What must the data processing agreement contain?
Article 28(3) sets out the points the agreement must cover. Use the list as a checklist before you sign:
- Purpose and duration - what the data is processed for, and how long the processing runs.
- The type of data and categories of data subjects - here: health data about patients.
- Instruction binding - the vendor acts only on the clinic's documented instructions.
- Security - technical and organisational measures under Article 32, including encryption and access control.
- Sub-processors - who the vendor uses, and the clinic's right to be notified of changes.
- Assistance - the vendor's duty to help with access requests, deletion and breaches.
- Deletion or return at the end of the agreement, and documentation thereof.
- Audit - the clinic's right to carry out oversight, for example through an audit or audit report.
The agreement should also set the deadline for when the vendor must notify the clinic of a data breach. It is a precondition for the clinic to meet its own 72-hour deadline to Datatilsynet under Article 33.
At People's Clinic a data processing agreement is part of the setup. The transcription is deleted after up to 90 days, while the finished note remains in the clinic's record system under the clinic's control. Read more under data and security.
Where may patient data be processed geographically?
Sensitive patient data is processed within the EU/EEA, where GDPR applies directly. The data processing agreement must set out the countries in which the processing takes place and name sub-processors. If a transfer to a third country occurs, it requires a separate transfer basis under Chapter V - for example the EU Commission's standard contractual clauses - and an assessment of whether the protection in the receiving country genuinely matches the EU level.
People's Clinic processes data within the EU (Frankfurt) and does not transfer to third countries. This speaks to the uncertainty around US vendors that the Schrems II ruling raised when the EU Court of Justice in 2020 struck down the Privacy Shield and tightened the requirements for transfers to the US.
If you want to understand when AI record-keeping is lawful in the first place, read the full review under is AI record-keeping lawful.
This guide is general orientation about the rules - not legal advice. If you are in doubt about your clinic's situation, seek specific advice. The relevant authorities are Datatilsynet and Styrelsen for Patientsikkerhed.