EU General Data Protection Regulation (GDPR)
MedConsult AI - Compliance Documentation for EU Healthcare Providers
Last Updated: _________________ | Reviewed By: _________________
1. EU GDPR Overview
The General Data Protection Regulation (Regulation (EU) 2016/679) is the EU's comprehensive data protection law that governs the processing of personal data of individuals within the European Economic Area (EEA). It applies to MedConsult AI when processing data of EU-based patients or healthcare providers.
How MedConsult AI Complies with Regulation 2016/679
- Lawfulness, fairness, and transparency in all data processing activities (Article 5(1)(a))
- Purpose limitation — data collected for specified, explicit, and legitimate healthcare purposes (Article 5(1)(b))
- Data minimisation — only data necessary for clinical consultations is processed (Article 5(1)(c))
- Accuracy — mechanisms for correction and updating of patient data (Article 5(1)(d))
- Storage limitation — data retained only as long as necessary per applicable health regulations (Article 5(1)(e))
- Integrity and confidentiality — appropriate security measures for health data (Article 5(1)(f))
- Accountability — documented compliance through records of processing activities (Article 5(2))
2. Article 6 — Lawful Basis for Processing
All processing of personal data must be grounded in one of the six lawful bases set out in Article 6(1). MedConsult AI relies on the following bases depending on the processing activity:
| Lawful Basis | Article | Processing Activity |
|---|---|---|
| Consent | Art. 6(1)(a) | Patient consents to AI-assisted consultation analysis |
| Contract Performance | Art. 6(1)(b) | Processing necessary to provide the healthcare consultation service |
| Legal Obligation | Art. 6(1)(c) | Compliance with health record-keeping requirements under national law |
| Vital Interests | Art. 6(1)(d) | Emergency processing where patient cannot give consent |
| Public Interest | Art. 6(1)(e) | Processing necessary for healthcare provision as a task in the public interest |
| Legitimate Interests | Art. 6(1)(f) | System security, fraud prevention, and service improvement (non-health data only) |
3. Article 9 — Special Category Data
Health data is a special category of personal data under Article 9. Its processing is generally prohibited unless one of the conditions in Article 9(2) is met. For healthcare use of MedConsult AI:
| Condition | Article | When Applied |
|---|---|---|
| Explicit Consent | Art. 9(2)(a) | Patient explicitly consents to health data processing for AI consultation |
| Employment/Social Security | Art. 9(2)(b) | Occupational health assessments where authorised by EU/member state law |
| Health or Social Care | Art. 9(2)(h) | Processing for provision of healthcare by or under responsibility of a health professional |
| Public Health | Art. 9(2)(i) | Processing for reasons of public interest in public health |
| Archiving/Research | Art. 9(2)(j) | Processing for scientific research purposes with appropriate safeguards |
Note: Article 9(3) requires that health data processed under Article 9(2)(h) is processed by or under the responsibility of a professional subject to professional secrecy obligations.
4. Article 28 — Data Processing Agreement
Article 28 requires a binding contract between the controller (healthcare provider) and processor (MedConsult AI). The agreement must set out:
Subject Matter & Duration
Processing of patient health data for AI-assisted medical consultations for the duration of the service agreement
Nature & Purpose
Automated analysis of consultation data to provide clinical decision support to healthcare professionals
Categories of Data Subjects
Patients of the healthcare provider who engage in consultations processed through MedConsult AI
Types of Personal Data
Patient identifiers, medical history, symptoms, diagnoses, treatment plans, and consultation notes
Processor Obligations (Article 28(3))
- Process personal data only on documented instructions from the controller
- Ensure that persons authorised to process data are bound by confidentiality
- Implement all measures required under Article 32 (security of processing)
- Respect conditions for engaging sub-processors (prior authorisation, same obligations)
- Assist the controller in fulfilling data subject rights requests
- Assist with DPIA and prior consultation obligations (Articles 35-36)
- Delete or return all personal data at end of service, at controller's choice
- Make available all information to demonstrate compliance and allow audits
Controller Signature:
Name / Date
Processor Signature:
Name / Date
5. Article 35 — DPIA Requirements
A Data Protection Impact Assessment is mandatory under Article 35 when processing is likely to result in a high risk to the rights and freedoms of natural persons. This includes:
When a DPIA is Required
- Systematic and extensive evaluation of personal aspects (profiling) — Article 35(3)(a)
- Processing of special category data on a large scale — Article 35(3)(b)
- Systematic monitoring of a publicly accessible area on a large scale — Article 35(3)(c)
- Use of new technologies where the nature, scope, context, or purposes pose high risk
- Processing listed on the supervisory authority's mandatory DPIA list
DPIA Contents (Article 35(7))
| Requirement | Complete? |
|---|---|
| Systematic description of processing operations and purposes | ☐ Yes ☐ No |
| Assessment of necessity and proportionality in relation to purposes | ☐ Yes ☐ No |
| Assessment of risks to the rights and freedoms of data subjects | ☐ Yes ☐ No |
| Measures to address risks, including safeguards and security measures | ☐ Yes ☐ No |
| Consultation with DPO (where designated) | ☐ Yes ☐ No |
| Views of data subjects sought (where appropriate) | ☐ Yes ☐ No |
If residual risks remain high after mitigation, prior consultation with the supervisory authority is required under Article 36.
6. Data Subject Rights (Articles 15-22)
The EU GDPR grants data subjects comprehensive rights. MedConsult AI provides tools and procedures to support healthcare providers in fulfilling these rights:
| Right | Article | Timeframe | Platform Support |
|---|---|---|---|
| Right of Access | Art. 15 | 1 month | Automated data export in structured, machine-readable format |
| Right to Rectification | Art. 16 | 1 month | In-platform data correction tools with audit trail |
| Right to Erasure | Art. 17 | 1 month | Automated deletion workflow (subject to legal retention obligations) |
| Right to Restriction | Art. 18 | Without undue delay | Processing pause mechanism per patient record |
| Notification Obligation | Art. 19 | Without undue delay | Automated notification to recipients of corrections/deletions |
| Right to Data Portability | Art. 20 | 1 month | Export in JSON, CSV, or HL7 FHIR format |
| Right to Object | Art. 21 | Without undue delay | Processing opt-out with confirmation mechanism |
| Automated Decision-Making | Art. 22 | N/A | Human review for all AI recommendations; no solely automated decisions |
Response timeframes may be extended by a further two months where requests are complex or numerous (Article 12(3)). The data subject must be informed of the extension within one month.
7. Article 25 — Data Protection by Design and Default
MedConsult AI implements data protection by design and by default through the following technical and organisational measures:
Pseudonymisation
Patient identifiers are pseudonymised during AI processing to reduce re-identification risk
Encryption at Rest
AES-256 encryption for all stored health data in the database
Encryption in Transit
TLS 1.3 for all data transmission between client, server, and third-party services
Access Controls
Role-based access control (RBAC) ensuring minimum necessary access to patient data
Data Minimisation
Only data strictly necessary for consultation processing is collected and transmitted to AI models
Automatic Session Expiry
Sessions timeout after configurable inactivity period (default: 15 minutes)
Audit Logging
Comprehensive logging of all data access, modifications, and processing activities
Privacy-First Defaults
Most restrictive privacy settings enabled by default; users opt in to broader sharing
8. Chapter V — International Data Transfers
Under Chapter V of the EU GDPR (Articles 44-49), personal data may only be transferred to third countries that ensure an adequate level of data protection, or where appropriate safeguards are in place.
Transfer Mechanisms Used
- Adequacy Decisions (Article 45) — transfers to countries recognised by the European Commission
- Standard Contractual Clauses (Article 46(2)(c)) — EU Commission-approved SCCs for processor transfers
- EU-US Data Privacy Framework — for transfers to certified US organisations
- Binding Corporate Rules (Article 47) — where applicable for group transfers
- Derogations (Article 49) — explicit consent or contractual necessity in specific situations
Transfer Impact Assessments
Following the Schrems II decision (C-311/18), Transfer Impact Assessments (TIAs) are conducted for each data transfer to evaluate the level of protection in the recipient country. These assessments consider local surveillance laws, data subject redress mechanisms, and supplementary measures where necessary.
MedConsult AI Data Locations
| Service | Data Location | Transfer Mechanism |
|---|---|---|
| Application Hosting (Vercel) | EU/US | SCCs / DPF |
| Database (Neon) | EU Region | No transfer (EU-based) |
| AI Processing (OpenAI) | US | SCCs / DPF |
| Email (Resend) | US | SCCs / DPF |
9. Breach Notification (Articles 33-34)
Under Articles 33 and 34, personal data breaches must be reported to the supervisory authority and, in certain cases, to affected data subjects.
Notification Requirements
Within 72 hours (Article 33)
Notify the competent supervisory authority unless the breach is unlikely to result in a risk to data subjects' rights and freedoms
Without undue delay (Article 34)
Notify affected data subjects directly when the breach is likely to result in a HIGH risk to their rights and freedoms
Ongoing (Article 33(5))
Document all personal data breaches, including facts, effects, and remedial actions taken
Notification Content (Article 33(3))
- - Nature of the breach including categories and approximate number of data subjects and records
- - Name and contact details of the Data Protection Officer
- - Description of likely consequences of the breach
- - Description of measures taken or proposed to address the breach and mitigate effects
10. National Variations
While the EU GDPR is directly applicable across all EU member states, certain provisions allow for national variations, particularly regarding health data processing. Healthcare providers should be aware of additional requirements in their jurisdiction:
| Country | Key National Variation | Relevant Law |
|---|---|---|
| Germany | Stricter consent requirements for health data; state-level data protection laws (Landesdatenschutzgesetze) | BDSG; state-level laws |
| France | CNIL guidance on health data hosting (HDS certification required for health data hosting) | Loi Informatique et Libertés |
| Netherlands | Specific rules for electronic patient records and exchange systems | UAVG; Wbsn-z |
| Spain | Additional safeguards for health research data; bioethics requirements | LOPDGDD |
| Italy | Specific deontological rules for health data processing | D.Lgs 196/2003 (amended) |
| Ireland | Health Research Regulations with specific consent requirements | Health Research Regulations 2018 |
This list is not exhaustive. Healthcare providers must verify compliance with their specific member state legislation in addition to the EU GDPR. Consult your national Data Protection Authority (DPA) for jurisdiction-specific guidance.
11. Record of Processing Activities (Article 30)
Article 30 requires controllers and processors to maintain a record of processing activities. The following template should be completed for each processing activity involving MedConsult AI:
| Field (Article 30(1)) | Details |
|---|---|
| Controller Name & Contact | ________________ |
| DPO Name & Contact | ________________ |
| Joint Controller (if applicable) | ________________ |
| Purposes of Processing | AI-assisted medical consultation support |
| Categories of Data Subjects | Patients, healthcare professionals |
| Categories of Personal Data | Health data, identification data, contact details |
| Categories of Recipients | Healthcare provider staff, MedConsult AI (processor) |
| Transfers to Third Countries | See Section 8 — International Transfers |
| Retention Periods | Per applicable national health records legislation |
| Technical & Organisational Measures | See Section 7 — Data Protection by Design |
This documentation is provided as a template and should be reviewed by qualified legal counsel before use in a clinical setting. MedConsult AI does not provide legal advice.