GDPR (General Data Protection Regulation) applies to any company processing personal data of EU residents. For medical/health data, GDPR is even stricter — health data is a "special category" requiring explicit consent or another lawful basis. Non-compliance fines: up to 4% of global revenue or €20M.
Key Takeaways
- Health data = special category under GDPR.
- Need: consent, DPA, DPIA, security measures, retention policies.
- Max fine: €20M or 4% of global revenue.
- Anonymized data exits GDPR scope — but the bar is very high.
Frequently Asked Questions
Patient health data under GDPR is classified as:▼
Answer: Special category data (higher protection required)
Health data is "special category" under GDPR Article 9, requiring explicit consent or another specific lawful basis for processing.
If your AI processes ultrasound images to detect pathologies, you need:▼
Answer: Data Processing Agreement, patient consent, privacy impact assessment, and data security measures
Processing health data requires comprehensive GDPR compliance: lawful basis, DPA with hospitals, DPIA, technical security measures, and data retention policies.
GDPR maximum fine is:▼
Answer: €20M or 4% of global annual revenue
The maximum GDPR fine is €20M or 4% of global annual revenue, whichever is higher. This applies to the most serious violations.
Anonymized data (where re-identification is impossible):▼
Answer: Falls outside GDPR scope entirely
Truly anonymized data (not pseudonymized) is not personal data and falls outside GDPR scope. However, the bar for "true anonymization" is very high — pseudonymized data IS still personal data.