What makes health data 'special category' under Article 9, and what does it require?

Article 9 of the GDPR treats data about a person's health, including dental and clinical data, as a special category that is prohibited from processing unless a specific condition applies — typically explicit consent, or provision of health care by or under the responsibility of a health professional bound by confidentiality. On top of an ordinary lawful basis under Article 6, you must identify and document that Article 9 condition, apply stronger safeguards (encryption, strict access control, confidentiality), and treat any breach as high severity.

Do we need consent for recall and reminder messages?

It depends on the purpose. A clinical recall tied to ongoing care can often rest on the care relationship, but marketing messages — promotions, offers, newsletters — need consent, and electronic marketing rules require an opt-in and a working opt-out. Practices get into trouble by mixing the two. We separate clinical recalls from marketing and document a clean consent and opt-out for each.

GDPR · Medical & dental practices

⚠ Special category (Art. 9)

GDPR for medical & dental practices.
Your patients' health data is on WhatsApp.

Health data is a special category under Article 9 — the single highest-risk data an SME can hold, with the highest level of protection in the GDPR. Yet most practices exchange results, prescriptions and clinical images over WhatsApp and store X-rays on personal phones — convenient, and a textbook special-category breach waiting to happen.

Free GDPR Check → Free GDPR Assessment for Your Practice → All GDPR sectors

€20M

or 4% turnover — max fine

72h

to report a breach (a lost phone counts)

Art. 9

health data = special category

Explicit

safeguards required by law

The reality

What most practices
are getting wrong.

None of this is malicious — it's just how the day flows. But with health data each one is a special-category gap a patient, a competitor or a disgruntled ex-employee can report, and the severity is high.

📱

Results & prescriptions over WhatsApp

Test results, prescriptions and clinical images sent to patients by WhatsApp. They land on personal phones, in cloud chat backups, with no encryption, access control or deletion.

🦷

X-rays & clinical photos on personal phones

Dentists and clinicians take X-rays and before/after photos on personal phones that sync to private photo libraries — special-category data outside any control.

🔑

Shared logins to the clinical software

The whole team uses one shared login to the practice-management or clinical software, so there's no individual accountability and no real audit trail of who saw which record.

🖥️

Screens & paperwork visible to others

Reception screens, open records and paperwork on the desk are visible to the next patient in the queue — casual disclosure of someone else's health data.

📣

Recalls & marketing with no consent

Recall reminders and promotional messages go out mixed together with no valid consent or opt-out, treating clinical contact and marketing as the same thing.

🔗

No DPA with software & labs

Patient data is passed to practice-management software, dental/medical labs and radiology providers with no data-processing agreement and no idea where it's stored.

⚠️

It only takes one. A lost phone, a forwarded image, a synced photo library — with health data any of these is a high-severity breach that is likely notifiable to the affected patients themselves, not just the authority. The fix is far cheaper than the incident.

The fix

How we make your
practice compliant — for real.

We don't hand you a policy and leave. We change how health data actually flows through your practice, with tools your team will actually use.

📥

Secure patient messaging / portal

An encrypted patient-messaging channel or portal for results, prescriptions and images — replacing WhatsApp and personal email — that staff and patients find easier, not harder.

✅

Confirm the Art. 9 condition

We identify and document the correct Article 9 lawful condition for each use of health data (provision of care, explicit consent), on top of the Article 6 basis.

🔒

Access control + MFA + individual logins

Individual logins for every staff member, multi-factor authentication and proper access levels with audit logs — no more one shared login for the whole team.

🔐

Encryption of records & images

Patient records, X-rays and clinical photos encrypted at rest and in transit, kept off personal phones and private photo libraries.

📣

Consent for recalls & marketing

Clinical recalls separated from marketing, with a clean, documented consent and a working opt-out for promotions, offers and newsletters.

📄

DPAs, training & breach plan

Data-processing agreements with your software, labs and radiology providers, a short staff briefing and a simple breach procedure (including "I lost my phone").

How we work

A path that fits
how practices actually work.

Data-flow audit

We follow real patient data end-to-end: where the result, the X-ray and the prescription go, and on which device or tool.

Gap analysis

We flag the non-compliant flows and the concrete risks — prioritised, in plain language, not a 90-page report.

Remediation

We set up secure messaging, encryption, access control, consent and the DPAs — and migrate you off WhatsApp and personal phones.

Train & document

A short team briefing, a breach plan and the records of processing — so it stays compliant day to day.

← All GDPR sectors

FAQ

GDPR for medical & dental
practices, answered.

The questions practices ask us most.

Can we message patients on WhatsApp?+

Not for health data. Results, prescriptions and clinical images sent over WhatsApp end up on a personal phone, in chat backups, outside any access control or retention policy. Health data is a special category under Article 9, so a leak is high severity and usually notifiable to the patients themselves. You need a secure patient-messaging channel or portal instead, with a clear lawful condition for the contact.

What makes health data "special category" (Art. 9), and what does it require?+

Article 9 treats data about a person's health — including dental and clinical data — as a special category that is prohibited from processing unless a specific condition applies, typically explicit consent or provision of health care by a professional bound by confidentiality. On top of an Article 6 basis, you must identify and document that Article 9 condition, apply stronger safeguards (encryption, strict access control, confidentiality), and treat any breach as high severity.

Do we need consent for recall reminders?+

It depends on the purpose. A clinical recall tied to ongoing care can often rest on the care relationship, but marketing — promotions, offers, newsletters — needs consent, with an opt-in and a working opt-out. Trouble starts when the two are mixed. We separate clinical recalls from marketing and document a clean consent and opt-out for each.

Do we need agreements with our clinical software and labs?+

Yes. Your practice-management software, dental and medical labs, radiology providers, email and cloud backup all process patient health data on your behalf, so you need a data-processing agreement (DPA) with each and must know where data is stored. With special-category data the supply chain is part of your compliance — we review your stack and put the right agreements and safeguards in place.

GDPR for medical & dental practices.Your patients' health data is on WhatsApp.

What most practicesare getting wrong.