Data protection and AI in healthcare: how to lawfully use health data for training
In AI projects in the healthcare sector, data protection is the first hurdle you need to overcome. Anyone wishing to train AI models needs large volumes of data — and in the healthcare sector, these are almost always personal data, frequently even health data. We show which legal bases are available to you and the two routes through which you can make health data usable for training.
Content
- Why is data protection the first hurdle for AI in healthcare?
- The GDPR principles conflict with AI training
- The AI Act changes little in this respect
- Which legal basis permits the use of your own health data?
- What is the difference between Section 27 BDSG and Section 6 GDNG?
- How do you obtain access to health data via the GDNG and EHDS?
- From prohibition to governance: what changes for your practice?
- Conclusion: With AI in healthcare, the decisive factor is how you do it
- Frequently asked questions
Why is data protection the first hurdle for AI in healthcare?
Data protection law does not merely determine how an AI project must be structured; it determines whether the project may be lawfully implemented at all. This applies even if the finished model is not intended to process personal data later on — because the decisive factor is the use of data during training.
The GDPR principles conflict with AI training
The reason lies in the principles relating to the processing of personal data under Article 5(1) GDPR. According to these principles, you must process personal data:
- lawfully, fairly and transparently;
- collect them for specified, explicit and legitimate purposes; and
- not further process them in a manner that is incompatible with those purposes.
This is precisely where the conflict arises: training data are often used for purposes that had not yet been determined at the time of the original collection.
The AI Act changes little in this respect
The AI Act regulates the processing of personal data only selectively — in Article 10(5) and Article 59 of the AI Act — and otherwise leaves the GDPR unaffected. The legal bases and exceptions under the GDPR therefore remain the central benchmark for AI projects.
For example, a hospital wants to train a diagnostic model using treatment data. Before it considers architecture or providers, it must clarify which legal basis it relies on for the use of patient data. If such a legal basis is lacking, the project is not permissible, regardless of its technical quality.
Data protection-compliant AI in healthcare therefore does not begin with the model, but with the question of whether you are permitted to use the training data at all.
Newsletter
For your Inbox
Current updates and important information on topics such as data law, information security, technology, artificial intelligence, and much more. (only in German)
Which legal basis permits the use of your own health data?
Health data already available to you may be further processed for research purposes — on the basis of consent, known as “Broad Consent”, Section 27 BDSG or Section 6 GDNG. This is the first of two routes for using health data for AI:
- Further processing of your own data: existing health data on the basis of Broad Consent, Section 27 BDSG or Section 6 GDNG.
- Use of external access: applying for anonymised or pseudonymised data via bodies such as the Health Research Data Centre. This is addressed in the next section.
The first route is supported by the so-called research privilege. It includes several facilitations for processing for research purposes: broad research consent, exceptions from purpose limitation and storage limitation, reduced information obligations — and, in the narrower sense, permission to process special categories of data such as health data at all.
The key provision is Article 9(2)(j) GDPR. However, it does not permit processing without conditions: the processing must be necessary for scientific research purposes and must be based on Union or Member State law. That legal basis must be proportionate, respect the essence of the right to data protection and provide for specific safeguards.
What is the difference between Section 27 BDSG and Section 6 GDNG?
In Germany, two provisions may be relevant. Both require the processing to serve scientific research purposes, and both require technical and organisational measures such as a rights and roles concept or pseudonymisation. The difference lies in their scope of application and in the obligations they impose:
| Criterion | Section 27 BDSG | Section 6 GDNG |
|---|---|---|
| Scope of application | In principle, all bodies | Only data-processing healthcare institutions, such as pharmacies and hospitals |
| Additional threshold | Substantially overriding research interest | – |
| Additional obligations | – | Subsequent registration and publication obligations |
Which provision applies depends on who you are: Section 27 BDSG requires a higher balancing of interests, while Section 6 GDNG is available only to healthcare institutions, but without the threshold of an overriding interest.
How do you obtain access to health data via the GDNG and EHDS?
You can apply for anonymised or pseudonymised health data via external access bodies such as the Health Research Data Centre and use health data for AI in this way. This is the second route and it often does not require your own data protection legal basis.
Access via the Health Research Data Centre
This is made possible primarily by the Act on the Improved Use of Health Data, the GDNG. Among other things, it enables data from cancer registries to be linked with other data sets and allows access to data holdings via the Health Research Data Centre.
If the controller cannot identify the data subjects on the basis of the information transmitted, a data protection legal basis is generally not required. However, this does not mean that the obligations disappear. The requirements under Section 4 GDNG and Section 303e of the German Social Code Book V, which govern the procedure and access conditions, must still be observed.
The GDNG as a bridge to the EHDS
The GDNG is designed as bridge legislation. It creates a bridge to the European Health Data Space, or EHDS the EU framework for the cross-border use of digital health data.
The EHDS Regulation has already entered into force, but will only become applicable gradually. In the medium term, it is intended to make health data discoverable across the EU and usable under regulated conditions.
The external route therefore replaces the search for your own legal basis with the obligation to comply with a prescribed procedure.
From prohibition to governance: what changes for your practice?
Health data protection is evolving from a prohibition-oriented protection regime into a complex governance framework. For practice, this means a different assessment logic: the focus is no longer only on whether an individual processing operation is permissible, but on how you structure governance for the secondary use of data in a legally robust manner.
New obligations for data-holding bodies
The other side of the regulated infrastructure is a set of substantial obligations. Data-holding bodies must structure, catalogue and make their data holdings available through the prescribed procedures. The question is shifting: increasingly, it is about which bodies provide access, which procedures must be followed and which measures you need to take.
In practical terms, this means that a hospital that wants to handle research requests in future must not only protect its data, but also make them accessible and discoverable: two objectives that previously appeared to be in conflict.
Whether an AI project involving health data can be realised therefore increasingly depends on how you implement it.
Newsletter
For your Inbox
Current updates and important information on topics such as data law, information security, technology, artificial intelligence, and much more. (only in German)
Conclusion: With AI in healthcare, the decisive factor is how you do it
Data protection in healthcare AI is not a downstream compliance task; it determines from the outset what is possible. The GDPR remains the central benchmark even under the AI Act, and the research privilege is your most important lever for using health data for AI.
There are two routes available: further processing of your own data on the basis of Broad Consent, Section 27 BDSG or Section 6 GDNG — or external access via the Health Research Data Centre and, in future, the EHDS. Both require not so much a one-off permissibility assessment as a well-designed governance structure. In future, the decisive question will no longer be “whether”, but “how”.
Frequently asked questions
#1 May I use patient data for AI training without consent?
Under certain conditions, yes. For scientific research purposes, Section 27 BDSG and Section 6 GDNG permit the processing of health data even without the consent of the data subjects. Section 27 BDSG requires a substantially overriding research interest, while Section 6 GDNG applies only to healthcare institutions. Both require technical and organisational safeguards such as pseudonymisation.
#2 Do I need a data protection legal basis for anonymised health data?
As a rule, no. If the controller cannot identify the data subjects on the basis of the information transmitted, a data protection legal basis is normally not required. However, the requirements under Section 4 GDNG and Section 303e of the German Social Code Book V must still be observed.
#3 What does “Broad Consent” mean when processing health data?
Broad Consent is a broadly framed research consent through which data subjects consent to the processing of their data for future research purposes that have not yet been conclusively defined. It is part of the research privilege and one of the possible bases for further processing existing health data.
#4 What is the Health Research Data Centre?
The Health Research Data Centre is an external access body through which anonymised or pseudonymised health data can be requested for research and development purposes. It is one of the two routes for making health data usable for AI projects.
#5 What is the European Health Data Space, or EHDS?
The European Health Data Space is the EU framework intended to make digital health data usable across borders in future for research and healthcare provision. The corresponding Regulation has already entered into force, but will only become applicable gradually.
Content
- Why is data protection the first hurdle for AI in healthcare?
- The GDPR principles conflict with AI training
- The AI Act changes little in this respect
- Which legal basis permits the use of your own health data?
- What is the difference between Section 27 BDSG and Section 6 GDNG?
- How do you obtain access to health data via the GDNG and EHDS?
- From prohibition to governance: what changes for your practice?
- Conclusion: With AI in healthcare, the decisive factor is how you do it
- Frequently asked questions
Your experts