Skip to main content

EU General Data Protection Regulation — Art. 9 Special Categories

GDPR Art. 9 compliant medical data infrastructure

Medical data is a GDPR special category. Art. 9 prohibits processing health data unless specific conditions are met. Our infrastructure is purpose-built for healthcare — with data processing agreements designed for medical practices, imaging centers, and health research institutions.

Request a medical DPA View compliance overview

What is the GDPR?

The General Data Protection Regulation applies to any organization processing personal data of EU residents. Medical data — including DICOM images, patient records, diagnoses, and treatment histories — is classified as a 'special category' under Art. 9 and receives the highest level of protection under GDPR.

In force since

25 May 2018

Scope

Any org processing EU personal data

Max fine

€20M or 4% of global turnover

Breach reporting

72 hours

Key GDPR obligations for medical data

Health data processing is subject to additional obligations beyond standard GDPR. These six articles are the most critical for medical practices, imaging centers, and health research.

1

Art. 5 — Principles of processing

Patient data must be collected for specified, explicit, and legitimate purposes. Diagnostic images must not be retained longer than clinically required. We support configurable retention policies per study type and patient record category.

2

Art. 6 — Lawful basis

Processing patient data requires a valid lawful basis — typically Art. 9(2)(h) for medical diagnosis or treatment by a health professional, or Art. 9(2)(j) for public interest research. Standard Art. 6 consent is not sufficient for health data.

3

Art. 17 — Right to erasure

Patients have the right to request deletion of their personal data. Clinical retention requirements may limit this right, but export and deletion workflows must exist. We support study-level and record-level export and deletion on request.

4

Art. 28 — Data Processor

We act as your data processor for all patient data stored in Orthanc, OpenEMR, and dcm4chee. Our DPA is designed specifically for medical data processors under Art. 9 — with appropriate confidentiality obligations for health data.

5

Art. 32 — Security of processing

Health data demands the highest level of security. Our infrastructure uses encryption at rest and in transit, strict access controls, isolated tenant environments, and encrypted backups — all stored within the EU.

6

Art. 33 — Breach notification

You must report any breach involving health data to your supervisory authority within 72 hours. We monitor for unauthorized access to managed infrastructure and notify you immediately upon detecting any incident.

Art. 9 — processing health data lawfully

Health data, genetic data, and biometric data are 'special categories' under Art. 9. The GDPR prohibits processing unless you can demonstrate one of the specific legal bases. For medical practices, this is typically Art. 9(2)(h) — medical diagnosis and treatment by a health professional under a duty of confidentiality.

  • Art. 9(2)(h): Medical diagnosis and treatment — the standard basis for patient records and DICOM imaging workflows
  • §203 StGB (Germany): Medical confidentiality law — our infrastructure is designed for Berufsgeheimnisträger (professionals bound by statutory confidentiality)
  • DPIA required: Processing health data at scale requires a Data Protection Impact Assessment under Art. 35 — we can support your DPO through this process

What we provide for GDPR compliance

  • Medical-specific Data Processing Agreement (DPA) on request
  • EU data residency — Nuremberg (primary) + Falkenstein (DR)
  • Audit logs retained and exportable
  • Patient data export on request (Art. 20 portability)
  • Data deletion on request (Art. 17 erasure)
  • 72-hour breach notification to you (Art. 33)
  • Encrypted backups stored within the EU
  • Sub-processor list available on request

Your GDPR Art. 9 compliant medical stack

Four managed medical platforms — each deployed on dedicated EU infrastructure with health-data-specific DPAs and full Art. 9 coverage.

DICOM / PACS Server

Orthanc

Lightweight DICOM server — your PACS without the enterprise price tag

from $80 /mo

Web DICOM Viewer

OHIF Viewer

Zero-footprint web DICOM viewer — no installation required

from $20 /mo

EHR / EMR

OpenEMR

Complete EHR/EMR platform — open source, fully managed

from $40 /mo

Enterprise PACS

dcm4chee

Enterprise DICOM archive — built for high-volume radiology

from $80 /mo

Need a DPA for medical data processing?

Our data processing agreements are designed for healthcare providers processing Art. 9 special categories. Request yours — we'll respond within one business day.

Request a medical DPA