Medical AI

Choosing GDPR-compliant medical AI in 2026: the practitioner's guide

13 May 2026 8 min read Clinovus AI Team

On 12 July 2024, the EU AI Act was published in the Official Journal of the European Union. The countdown has begun: on 2 August 2026, all AI systems classified as high risk must be fully compliant.^[1] Virtually all medical AI tools fall into this category. For the physician, this date is not abstract — it means that using a non-compliant tool engages their professional and potentially criminal liability.

Why ChatGPT is not an option for patient data

GDPR Article 9 classifies health data as a special category of personal data, requiring a reinforced legal basis for any processing.^[2] OpenAI is an American company, its servers are in the United States, and the CLOUD Act can compel any American operator to hand over data to federal authorities — including data from European patients. This is not a theoretical scenario: it is a structural incompatibility with the GDPR.

What GDPR Art. 9 says

Processing health data is prohibited by default. It is only permitted in limited cases — including "for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care" — and only by a professional bound by medical secrecy, with compliant hosting.

The 6 non-negotiable criteria

6 non-negotiable GDPR criteria for evaluating a medical AI tool in 2026

The CLOUD Act trap: why hosting matters

The CLOUD Act (USA, 2018) allows US federal authorities to demand from any American company the disclosure of data stored abroad — even if servers are physically located in Italy. This covers AWS, Azure, Google Cloud, OpenAI.

A medical AI tool hosted on American infrastructure therefore offers no real GDPR guarantee, even with a DPA. This is why European data protection authorities recommend hosting in the EU, EEA, or countries with an adequacy decision — including Switzerland.^[4]

Medical AI hosting comparison by provider type — GDPR 2026

EU AI Act: what physicians must verify before 2 August 2026

As a deployer under the AI Act — a professional user of an AI system — the physician has specific obligations^[6]:

Human oversight — AI must remain a support tool, never a final decision. The physician must be able to override any algorithmic recommendation.
Compliance verification — the physician must ensure the provider has documented AI Act compliance (technical notice, risk assessment).
Training — deployers must ensure users understand the capabilities and limitations of the system.
Incident reporting — any serious incident related to medical AI use must be reported to the competent authority.

AI Act fines for non-compliance with data governance obligations can reach EUR 15 million. For prohibited practices: EUR 35 million or 7% of global turnover.^[3] These amounts primarily target providers — but the deployer's liability is also engaged.

How to verify a tool's compliance in 10 minutes

Server location — look for "data hosting", "Rechenzentrum", "hosting" on the provider's site. If it's AWS/Azure/GCP without region specification or with a US region: red flag.
DPA available — a serious provider has a Data Processing Agreement downloadable on their site, or available on request.
Data policy — read the "data use" section in the T&Cs. Is there a model training clause using your data?
Certification — HDS for France, ISO 27001 as a general indicator. Switzerland: GDPR compliance + GDPR adequacy decision.

See also our articles on medical AI liability and on what AI changes for physicians in 2026.

Frequently asked questions

Can a physician use ChatGPT to write medical notes?

No, not with real patient data. ChatGPT (OpenAI) is hosted in the United States and subject to the American CLOUD Act. Health data is sensitive data under GDPR Article 9 — processing it through a non-compliant tool exposes the physician to sanctions from the national data protection authority (CNIL in France, Garante in Italy, DSB in Austria). The maximum fine for violating Article 9 is EUR 20 million or 4% of global turnover.

What does the EU AI Act concretely change for physicians in 2026?

From 2 August 2026, AI systems classified as 'high risk' — including most clinical documentation and diagnostic assistance tools — must meet strict requirements: transparency on algorithm functioning, mandatory human supervision, decision traceability, and the ability for the physician to override AI recommendations. As a deployer (professional user), the physician is responsible for verifying that the tool they use meets these requirements.

Is Switzerland a GDPR adequacy zone?

Yes. The European Commission has recognised Switzerland as a country providing an adequate level of personal data protection. This means that transferring personal data to Switzerland is permitted without specific contractual clauses — the same as an intra-EU transfer. A medical AI tool hosted in Switzerland by Infomaniak therefore benefits from the same presumption of GDPR compliance as hosting in Germany or France.

What should a DPA contain for medical AI?

A GDPR-compliant DPA must specify: the nature and purpose of processing, the categories of data processed (including Art. 9 health data), retention periods, technical and organisational security measures, authorised sub-processors, and a commitment not to reuse data for purposes other than the service. For medical AI, the DPA must also specify whether data is used to train or improve the model — which requires specific consent.

What fines does a physician risk for GDPR violations with medical AI?

GDPR fines are set by national authorities: CNIL (France), Garante (Italy), DSB (Austria). For violation of Article 9 (health data): up to EUR 20 million or 4% of global turnover. For general obligation breaches: up to EUR 10 million or 2% of turnover. In practice, authorities primarily target companies rather than individual physicians — but the practitioner's liability as 'deployer' under the AI Act is engaged if they knowingly use a non-compliant tool.

Sources and references

Regulation (EU) 2024/1689 (EU AI Act), Art. 6 and Annex III. Application: 2 August 2026 (high risk). eur-lex.europa.eu
Regulation (EU) 2016/679 (GDPR), Art. 9 — Processing of special categories of personal data. eur-lex.europa.eu
Inquira Health (Feb. 2026). The EU AI Regulation and AI in healthcare. Fines up to €35M or 7% of turnover. inquira.health
European Commission. Adequacy decision — Switzerland. Adequate protection level recognised. commission.europa.eu
CNIL. GDPR applied to the health sector. cnil.fr
Houdart & Associés (Oct. 2025). AI in healthcare: regulatory framework and practical guides. AI Act Art. 14 — human oversight. houdart.org

Note: this article is for informational purposes. For a legal assessment of your specific situation, consult a lawyer specialising in digital health law.

Clinovus AI: built to pass all 6 criteria

Sovereign hosting in Switzerland (GDPR adequacy zone), GDPR Art. 9 native, EU AI Act ready, DPA available, E2E encryption, zero data reuse.

Try free →

A question about GDPR compliance? Our team replies within 24h.

support@clinovusai.com