GDPR for medical image analysis, a practice checklist

3D skin analysis produces three legally critical data types: a face image (biometric data per Art. 9 GDPR), skin scores (health data per Art. 9), and possibly an email address (personal data per Art. 4). All three together push the protection level to the highest GDPR knows. This article is not legal advice, it's a practice-oriented overview. Your data protection officer's assessment is what binds.

Eight points before the first real scan

1. Establish the legal basis

For processing health data in diagnosis and treatment, Art. 9 (2) (h) GDPR plus § 22 BDSG (in Germany) applies. Additional patient consent is not mandatory if the analysis is part of medical treatment and documented in the treatment agreement. For purely aesthetic use without medical indication, Art. 9 (2) (a) applies, explicit written consent is required.

2. Sign a data processing agreement (DPA)

Any external processor handling patient data on your behalf needs a DPA per Art. 28 GDPR. For Dermalia and comparable vendors the DPA must in particular cover: purpose limitation (no re-use for advertising or model training), sub-processors (hosting, email delivery), retention, technical and organisational measures, breach notification, audit rights. We provide the DPA for signature before pilot start.

3. Fulfil information duties per Art. 13

Patients must be informed before data collection, in writing, in plain language. Mandatory: controller identity, processors, purpose, legal basis, retention period, recipients (also inside the EU), patient rights (access, rectification, deletion, complaint to the supervisory authority).

Practically: a one-page privacy info sheet handed to the patient at first contact and noted in the medical record. The sheet points to the full privacy policy on your practice website.

4. Define retention period

The medical record retention duty under § 630f BGB is ten years. Image data as part of the record falls under it. If the 3D capture was not part of diagnosis but only a consulting wellness service, this period does not apply, a shorter retention (24 months) is permissible.

Important: separate these two cases in your documentation. Dermalia allows a per-report flag "medical/aesthetic", from which retention is derived.

5. Third-country data transfer

This is the trickiest point with many skin scanners. Several manufacturers ship raw scan data to cloud backends in China or the US. From a GDPR perspective that's a third-country transfer, either with an adequacy decision (US: only with Data Privacy Framework for certified recipients; China: none) or with standard contractual clauses plus transfer impact assessment.

We solve this by pulling raw data once from the Isemeco EU cluster and immediately transferring it to our own Frankfurt-based storage. Patients only ever see the report from there. No third-country transfer in the patient path. Document this in your data protection impact assessment.

6. Run a data protection impact assessment (DPIA)

Art. 35 GDPR requires a DPIA at "likely high risk", health data plus biometric images practically always meet that criterion. The DPIA documents what data is processed, why, what the risks are and what mitigations you apply. Result is a two- to four-page document you must present on supervisory authority inspection.

We provide a template DPIA you can adapt to your practice, it covers the technical section so you don't have to gather it yourself.

7. Operationalise patient rights

Patients have the right to access (Art. 15), rectification (Art. 16), deletion (Art. 17), restriction (Art. 18), portability (Art. 20) and objection (Art. 21). Practically: a central email address for GDPR requests, a documented process, a response deadline of at most one month. The most common request is "delete my report", Dermalia has a self-service in the practice dashboard that finishes deletion (including images and 3D model in storage) in under 60 seconds.

8. Appoint a data protection officer, or document why none is needed

A dermatology or aesthetic practice needs a DPO if either at least 20 people are continuously processing personal data, or if "extensive processing of special categories" is part of the core activity. Small practices (< 5 staff, normal volumes) typically don't need a DPO. But biometric data plus health data plus systematic profiling reaches the threshold quickly.

Clarify this before the first real patient scan. External DPOs typically cost €150–300/month, cheaper than a fine for failing to appoint one.

Common pitfalls

• Captures are "only briefly" cached on an assistant's tablet, volatile storage is still processing under GDPR.
• Before/after images are used for marketing without separate consent. Treatment consent does not cover advertising use.
• Backup runs to a private USB stick. Backups are processing, even when the stick lives in the practice safe.
• WhatsApp delivery of the report to the patient. WhatsApp is not GDPR-compliant for health data.
• Report is also sent to a private pharmacist or cosmetician, recipient list must be documented in advance.

What you can delegate to Dermalia and what you can't

Delegable as processing: image storage, report generation, patient email delivery, backup, deletion. Not delegable (your responsibility stays): patient information, written consent for purely aesthetic use, medical record entry, responding to patient access requests, we provide the data, but the response leaves your practice.