·
Technology Adoption
Healthcare
Clinician
GDPR compliance in healthcare: a practical guide for clinicians
Understand GDPR obligations for clinicians: lawful bases, patient rights, data sharing, AI tools, and practical compliance steps for daily clinical practice
General Data Protection Regulation (GDPR) obligations fall on every person who handles patient data, not just information governance teams or legal departments. For clinicians working across primary care, secondary care, and private practice, routine activities such as writing clinical notes, sending referrals, or using a third-party AI medical assistant all carry specific legal responsibilities. Understanding those responsibilities in practical terms matters, particularly as digital health tools, remote consultations, and cross-border data flows become standard features of clinical work.
Why healthcare data receives special protection under GDPR
Under Article 9 of the GDPR, health data is classified as a "special category" of personal data, attracting a higher level of legal protection than standard personal information such as a name or address. This classification reflects the particular sensitivity of medical information and the potential for serious harm, including discrimination, stigma, or financial disadvantage, if it's disclosed without authorisation.
In practice, this means that processing health data requires not only a lawful basis under Article 6 (which applies to all personal data) but also a separate, additional condition under Article 9(2). For clinicians, the most relevant of these conditions are medical treatment and public health. The requirement to satisfy both layers simultaneously is a foundational compliance obligation that applies to every clinical encounter.
The European Data Protection Supervisor has consistently emphasised that special category status also requires organisations to implement privacy-by-design principles and robust safeguards. This applies not merely to avoid active misuse, but to prevent discriminatory profiling and protect data throughout its lifecycle, including in innovation-driven processes such as clinical trials and mobile health applications.
A peer-reviewed comparative analysis published in 2025 confirmed that GDPR mandates comprehensive accountability measures for medical data, and that health information is subject to additional ethical and professional safeguards beyond those required for standard personal data under comparable frameworks such as HIPAA (Health Insurance Portability and Accountability Act).
The lawful bases clinicians actually use
Most clinical data processing in direct care settings relies on one of two primary lawful bases:
Article 9(2)(h) GDPR — processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems. This is the principal basis for routine clinical documentation, referrals, and multidisciplinary team discussions.
Article 6(1)(c) — processing necessary for compliance with a legal obligation (for example, mandatory reporting of notifiable diseases).
Article 6(1)(e) — processing necessary for the performance of a task carried out in the public interest, which applies primarily to National Health Service and publicly funded healthcare organisations.
As heyData's compliance guidance for medical practices notes, explicit consent isn't always required. Medical necessity and legal obligation are valid and appropriate alternatives in the majority of direct care scenarios. Clinicians don't need to obtain a separate GDPR consent form from a patient before writing a clinical note or sending a discharge summary to another treating clinician.
Patient consent in clinical settings: when you need it and when you don't
One of the most persistent misconceptions in clinical settings is that GDPR requires explicit patient consent for all data processing. In direct care, this isn't the case. Drata's healthcare compliance guide makes clear that consent is only one of several valid lawful bases, and that in many clinical contexts it's not the most appropriate one.
Consent under GDPR must be freely given, specific, informed, and unambiguous. In a clinical relationship, where there's an inherent power imbalance between patient and clinician, relying on consent as the primary lawful basis for routine treatment data can be problematic. Patients may feel unable to refuse without affecting their care.
Consent is the appropriate lawful basis when:
Processing data for research purposes not covered by a separate research ethics framework
Using patient data for marketing or commercial communications
Sharing identifiable data with third parties outside the direct care team for purposes unrelated to treatment
Deploying optional digital health tools that process personal data beyond what is clinically necessary
For routine clinical documentation, referrals, discharge summaries, and multidisciplinary communication, Article 9(2)(h) provides the lawful basis without requiring separate consent, provided the processing is necessary for and proportionate to the clinical purpose.
What counts as a GDPR breach in a clinical context
A personal data breach is defined under GDPR as any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In healthcare, breaches often don't result from external cyberattacks. They arise from everyday clinical workflows.
Common examples recognisable in clinical practice include:
Misdirected patient letters — sending a letter containing clinical information to the wrong address, or attaching the wrong patient's records to an email
Unsecured medical record system access — leaving a clinical workstation logged in and unattended in a shared environment
Verbal disclosures in public spaces — discussing identifiable patient information in corridors, waiting areas, or over the phone where others can overhear
Sharing records without authorisation — forwarding patient data to a third party (including a family member) without a documented lawful basis
Use of non-compliant communication tools — consumer-grade platforms such as Zoom or WhatsApp are not suitable for transmitting identifiable clinical information, as they don't meet the security and data processing agreement requirements of GDPR
Under GDPR, breaches that are likely to result in a risk to individuals must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of them. Breaches posing a high risk to individuals must also be communicated directly to those affected. GDPR Register's healthcare guidance notes that this 72-hour clock begins when the organisation, not necessarily the individual clinician, first becomes aware, making prompt internal reporting essential.
Sharing patient data: referrals, discharge summaries, and third parties
Sharing patient data within a direct care team, including between general practitioners (GPs), specialists, nurses, and allied health professionals involved in a patient's treatment, is generally lawful under Article 9(2)(h), provided the sharing is necessary for and proportionate to the clinical purpose. The operative principle is 'need to know': only the information relevant to the receiving clinician's role in the patient's care should be shared.
In practice, this means:
A referral letter should contain the clinical information the receiving specialist needs, not the patient's entire medical history
A discharge summary should be sent to the GP and relevant care team members, not distributed more broadly without clinical justification
Sharing records with a patient's employer, insurer, or solicitor requires explicit patient consent or a separate legal basis
When sharing data with third-party systems, including medical record systems, diagnostic laboratories, or telemedicine services, a Data Processing Agreement (DPA) must be in place before any data is transferred. This is a contractual requirement under Article 28 GDPR, and the absence of a Data Processing Agreement constitutes a compliance failure regardless of whether a breach occurs.
Patient notification is generally not required for sharing within the direct care team, provided the organisation's privacy notice, which patients receive at registration or first contact, accurately describes how their data is used for treatment purposes.
GDPR and clinical AI tools: what clinicians should ask before using them
Deploying AI medical assistants, ambient voice technology (AVT), and other third-party clinical software introduces specific GDPR obligations that clinicians and their organisations need to address before adoption, not after.
Any tool that processes patient data on behalf of a healthcare organisation is a data processor under GDPR. This means the healthcare organisation (as data controller) must ensure that:
A Data Processing Agreement is in place with the vendor
The vendor processes data only on documented instructions from the controller
Appropriate technical and organisational security measures are in place, including encryption, access controls, and audit logging
Data residency is clearly established, which is particularly relevant for EU-based organisations where patient data processed by a vendor with servers outside the European Economic Area (EEA) may trigger additional transfer safeguards
A peer-reviewed review of AI-powered healthcare devices found that governance frameworks for clinical AI must address data minimisation, purpose limitation, and accountability mechanisms as core requirements.
Research into privacy-preserving AI deployment in clinical settings has demonstrated that local, offline AI systems can uphold strict data protection requirements while maintaining clinical utility, an approach that can reduce cross-border transfer risks associated with cloud-based processing, depending on the specific architecture and deployment model of the tool in question.
Before adopting any AI clinical tool, clinicians and their organisations should ask:
Where is patient data processed and stored? Is it within the EEA, or does processing involve third-country transfers?
Does the vendor hold ISO 27001 certification or an equivalent recognised security standard? ISO 27001 is an internationally recognised standard for information security management.
Has a Data Protection Impact Assessment (DPIA) been completed? GDPR requires a DPIA, a structured assessment of privacy risks, for any processing likely to result in high risk, which includes large-scale processing of health data by AI systems.
What is the vendor's data retention and deletion policy? Can data be deleted on request, and is this documented?
Is the tool registered as a medical device where applicable under the EU Medical Device Regulation (MDR)?
Drata's guidance notes that a DPIA should be treated as a living document, reviewed and updated whenever the processing activity changes materially, not completed once at procurement and filed away.
Many clinical environments operate under time and resource pressures that make thorough vendor due diligence difficult. In these contexts, organisations may need to prioritise a risk-based approach, applying the most rigorous scrutiny to tools that process the most sensitive data at the greatest scale.
Patient rights clinicians are likely to encounter
Patients have a defined set of rights under GDPR that healthcare organisations are legally obliged to facilitate. The rights most commonly encountered in clinical practice are:
Right of access (Subject Access Request): Patients are entitled to receive a copy of their personal data, including clinical records, within one month of making a request. This period can be extended by a further two months for complex or numerous requests, with notification to the patient. Clinicians should be aware that access requests must be fulfilled even when the information is clinically sensitive, though third-party information (such as details about another patient) should be redacted.
Right to rectification: Patients can request correction of inaccurate personal data. In a clinical context, this might mean correcting a factual error in a record, but it doesn't entitle a patient to have a clinician's professional opinion or clinical judgement altered.
Right to erasure ('right to be forgotten'): This right is significantly limited in healthcare. GDPR Register's sector guidance confirms that the right to erasure doesn't apply where processing is necessary for the provision of healthcare or where retention is required by law, which for clinical records is almost always the case. Patients cannot require the deletion of their medical records during the applicable retention period.
Right to data portability: Patients have the right to receive their data in a structured, commonly used, machine-readable format. This is relevant in digital health contexts and increasingly relevant as patient-facing portals and apps become more common.
Data minimisation in clinical documentation
The principle of data minimisation, set out in Article 5(1)(c) GDPR, requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which it's processed. For clinicians, this has direct implications for how clinical notes are written and structured.
In practice, data minimisation means:
Recording the clinical information necessary to support safe, continuous care, not comprehensive biographical or social detail that isn't clinically relevant
Avoiding the routine inclusion of third-party information (such as details about family members) unless directly relevant to the clinical picture
Using structured templates that prompt for relevant fields rather than free-text entries that may capture extraneous personal information
Reviewing what data is pre-populated or auto-captured by medical record systems and ensuring it reflects genuine clinical need
DPO Consulting's 2025 healthcare guide identifies data minimisation alongside purpose limitation as two of the most frequently overlooked principles in clinical settings, particularly in organisations transitioning from paper-based to digital records, where the ease of capturing additional data can outpace the clinical justification for doing so.
Retention periods for clinical records across Europe
GDPR doesn't prescribe specific retention periods for clinical records. These are determined by national healthcare law, which takes precedence in this area. GDPR does require that data isn't kept longer than necessary for its purpose, and that retention periods are documented in the organisation's Records of Processing Activities (RoPA).
Illustrative national retention requirements include:
England (NHS): Adult patient records must generally be retained for a minimum of eight years after the last entry. Records relating to children must be kept until the patient's 25th birthday or eight years after death, whichever is later.
Germany: Clinical records are subject to retention obligations under §630f BGB (ten years for medical records) and additional sectoral rules. Kiteworks' 2026 analysis notes that Germany also imposes criminal liability under §203 StGB for unlawful disclosure of patient data by healthcare professionals.
France: Records are retained under the Code de la Santé Publique, with a general minimum of twenty years from the last care episode.
Netherlands: The WGBO (Wet op de geneeskundige behandelingsovereenkomst) requires retention for a minimum of twenty years from the date of recording.
The practical consequence for clinicians is that the right to erasure, even when validly invoked by a patient, cannot override statutory retention obligations. A patient requesting deletion of their clinical records during the applicable retention period can be lawfully refused on this basis, provided the refusal is communicated clearly and within the required timeframe.
Kiteworks' research has documented corrective actions by national health regulators across Europe in recent years arising from compliance gaps that GDPR alone doesn't address, a reminder that national law must be understood alongside the Regulation itself.
Who is responsible: data controller vs. data processor in healthcare
Understanding the distinction between a data controller and a data processor is essential for accountability and for making informed decisions about vendor selection and clinical tool adoption.
Data controller: The entity that determines the purposes and means of processing personal data. In healthcare, this is typically the NHS trust, GP practice, hospital, or private clinic, not the individual clinician. The controller bears primary legal responsibility for GDPR compliance.
Data processor: Any entity that processes personal data on behalf of the controller. This includes medical record system vendors, diagnostic laboratories, cloud storage providers, AI tool suppliers, and telemedicine platforms. Processors must act only on documented instructions from the controller and are subject to binding contractual obligations under Article 28 GDPR.
The distinction matters for several practical reasons:
Accountability: If a processor suffers a breach, the controller may still be held liable if it failed to conduct adequate due diligence or ensure appropriate contractual safeguards were in place.
Vendor selection: Choosing a processor that holds ISO 27001 certification, has a clear data residency policy, and can demonstrate compliance with GDPR's processor obligations is a controller-level responsibility.
Sub-processors: Processors may engage sub-processors (for example, a cloud infrastructure provider used by an AI vendor) but only with the controller's authorisation, and the processor remains liable for the sub-processor's compliance.
Accountable HQ's 2026 checklist recommends that organisations maintain an up-to-date vendor register and conduct periodic reviews of all active Data Processing Agreements, including vendor offboarding procedures to ensure data is deleted or returned when a contract ends.
Practical steps clinicians can take to stay compliant day to day
GDPR compliance in clinical practice doesn't require legal expertise. It requires consistent habits and awareness of where risk arises. The following steps reflect the obligations most directly relevant to individual clinicians.
Secure access and authentication
Always log out of or lock clinical workstations when leaving, even briefly
Never share login credentials with colleagues, including in high-pressure situations
Use only organisation-approved devices and networks to access patient records
Data sharing and communication
Share only the minimum necessary information when referring, escalating, or communicating with colleagues
Don't use personal email accounts, consumer messaging apps, or unapproved platforms to transmit patient data
Verify the recipient before sending any patient communication, as misdirected correspondence is one of the most common breach types in healthcare
Handling patient rights requests
Be aware that patients can make Subject Access Requests verbally or in writing, and log and escalate these promptly to the relevant information governance contact
Don't ignore or delay access requests; the one-month response clock begins immediately
Understand that requests for deletion can generally be declined for clinical records during the statutory retention period, but must be responded to formally
Evaluating new clinical tools
Before adopting any third-party software that processes patient data, confirm that a Data Processing Agreement is in place and that a DPIA has been completed
Ask vendors directly about data residency, sub-processors, and security certifications
Escalate to your information governance or data protection officer if these questions cannot be answered clearly
Documentation and training
Familiarise yourself with your organisation's privacy notice and data retention policy, as these define the boundaries of lawful processing in your setting
Participate in data protection training, including scenario-based exercises covering breach identification and response
If you're uncertain whether a specific data sharing or processing activity is lawful, seek guidance from your organisation's Data Protection Officer before proceeding
The regulatory landscape for health data continues to develop, with the European Health Data Space framework introducing new instruments for data sharing and governance that will interact with existing GDPR obligations in ways that national regulators and courts are still interpreting. Staying informed of developments at both EU and national level is increasingly part of responsible clinical practice, not a task that can be delegated entirely to compliance teams.
Frequently asked questions
▶ Why does health data receive stronger protection under GDPR than other personal data?
Under Article 9 of the General Data Protection Regulation, health data is classified as a "special category" of personal data. This reflects the particular sensitivity of medical information and the potential for serious harm, including discrimination, stigma, or financial disadvantage, if it's disclosed without authorisation. Processing health data requires satisfying a lawful basis under Article 6 and a separate additional condition under Article 9(2). Standard personal data, such as a name or address, only requires the Article 6 basis.
▶ Do clinicians need patient consent before writing clinical notes or sending a referral?
No. For routine clinical documentation, referrals, discharge summaries, and multidisciplinary communication, Article 9(2)(h) of GDPR provides a lawful basis without requiring separate patient consent. Consent under GDPR must be freely given, specific, informed, and unambiguous. In a clinical relationship, where there's an inherent power imbalance, relying on consent as the primary basis for routine treatment data can be problematic. Consent is more appropriate for research, marketing, or sharing data with third parties outside the direct care team for purposes unrelated to treatment.
▶ What counts as a GDPR breach in a clinical setting?
A personal data breach covers any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In healthcare, common examples include sending a patient letter to the wrong address, leaving a clinical workstation logged in and unattended, discussing identifiable patient information in a corridor or waiting area, and using consumer-grade platforms such as Zoom or WhatsApp to transmit clinical information. Breaches likely to result in a risk to individuals must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of them.
▶ What GDPR obligations apply when sharing patient data with other clinicians?
Sharing patient data within a direct care team is generally lawful under Article 9(2)(h), provided the sharing is necessary for and proportionate to the clinical purpose. The operative principle is 'need to know': only the information relevant to the receiving clinician's role should be shared. A referral letter should contain what the receiving specialist needs, not the patient's entire medical history. Sharing records with a patient's employer, insurer, or solicitor requires explicit patient consent or a separate legal basis.
▶ What GDPR checks should clinicians carry out before adopting an AI medical assistant?
Any tool that processes patient data on behalf of a healthcare organisation is a data processor under GDPR. Before adoption, clinicians and their organisations should confirm that a Data Processing Agreement is in place with the vendor, that patient data is processed only on documented instructions, and that appropriate security measures including encryption and access controls are in place. It's also worth establishing where patient data is processed and stored, whether the vendor holds ISO 27001 certification, whether a Data Protection Impact Assessment has been completed, and whether the tool is registered as a medical device where applicable under the EU Medical Device Regulation.
▶ Can a patient request deletion of their clinical records under GDPR?
The right to erasure is significantly limited in healthcare. It doesn't apply where processing is necessary for the provision of healthcare or where retention is required by law. For clinical records, statutory retention obligations almost always apply. A patient requesting deletion during the applicable retention period can be lawfully refused on this basis, provided the refusal is communicated clearly and within the required timeframe. Retention periods vary by country: England requires a minimum of eight years after the last entry for adult records, France requires twenty years from the last care episode, and the Netherlands requires twenty years from the date of recording.
▶ What is the difference between a data controller and a data processor in healthcare?
A data controller determines the purposes and means of processing personal data. In healthcare, this is typically the NHS trust, GP practice, hospital, or private clinic. A data processor handles personal data on behalf of the controller. This includes medical record system vendors, diagnostic laboratories, AI tool suppliers, and telemedicine platforms. The controller bears primary legal responsibility for GDPR compliance. If a processor suffers a breach, the controller may still be held liable if it failed to conduct adequate due diligence or ensure appropriate contractual safeguards were in place.
▶ What does data minimisation mean for how clinicians write clinical notes?
Article 5(1)(c) of GDPR requires that personal data be adequate, relevant, and limited to what is necessary for the purposes it's processed. For clinicians, this means recording the information needed to support safe, continuous care rather than comprehensive biographical or social detail that isn't clinically relevant. It also means avoiding the routine inclusion of third-party information, such as details about family members, unless directly relevant to the clinical picture. Using structured templates that prompt for relevant fields can help avoid capturing extraneous personal information.
▶ What patient rights under GDPR are clinicians most likely to encounter?
The rights most commonly encountered in clinical practice are the right of access, the right to rectification, the right to erasure, and the right to data portability. Patients making a Subject Access Request are entitled to receive a copy of their personal data, including clinical records, within one month. The right to rectification allows patients to request correction of factual inaccuracies, but it doesn't entitle a patient to have a clinician's professional opinion altered. The right to erasure is significantly limited in healthcare settings where statutory retention obligations apply.
▶ What practical steps can individual clinicians take to stay GDPR compliant day to day?
Consistent habits reduce most day-to-day compliance risk. Always log out of or lock clinical workstations when leaving, even briefly. Never share login credentials with colleagues. Share only the minimum necessary information when referring or communicating with colleagues. Don't use personal email accounts or consumer messaging apps to transmit patient data. Verify the recipient before sending any patient communication. Log and escalate Subject Access Requests promptly, as the one-month response clock begins immediately. Before adopting any third-party software that processes patient data, confirm that a Data Processing Agreement is in place and that a Data Protection Impact Assessment has been completed.