Patient consent for 3D skin analysis, what Art. 9 GDPR concretely requires

Biometric facial scans are special categories of personal data under Art. 9 GDPR. We walk through which legal bases are available, what the consent must contain, and where the most important traps for the dermatology practice sit. Not a template, a requirements checklist.

Updated 25 May 2026 · 8 min read

A 3D facial scan is a biometric datum under Art. 4(14) GDPR because it results from technical-mathematical procedures and allows the unique identification of a natural person. Each skin-analysis capture therefore falls under Art. 9 GDPR (special categories of personal data). Processing is generally prohibited unless one of the exceptions in Art. 9(2) applies. We walk through what this means for the practice.

Which legal basis fits

Two legal bases from Art. 9(2) are practicable in dermatology:

Art. 9(2)(a) GDPR (explicit consent): the patient explicitly consents after comprehensive information. Clean, clear, revocable at any time. Recommended default for skin analysis, since it usually runs as an individual health service outside medically necessary care.
Art. 9(2)(h) GDPR (health care): processing necessary for medical care by medical staff or under medical responsibility. Covers a skin analysis that is part of medically indicated diagnostics (e.g. progress monitoring under isotretinoin). Information is still required, formal consent in the narrow sense not mandatory.

In practice, explicit consent is the pragmatic default. It covers purely aesthetic and medically indicated indications, and is compatible with patient expectations on transparency.

What the consent must contain (Art. 7 GDPR)

Consent must be given freely, specifically, informedly and unambiguously (Art. 4(11) GDPR), and additionally explicitly for special categories (Art. 9(2)(a)). Concretely the form or digital consent dialog must include:

Who processes: practice as data controller (Art. 4(7) GDPR), software provider as data processor (Art. 28 GDPR). Name both.
Which data: explicit naming of "biometric facial scans, RGB, UV and polarised captures, 3D mesh geometry, derived score values". Blanket "patient data" is not enough.
Which purpose: e.g. "dermatological diagnostics, longitudinal documentation, creation of a patient-readable report". Concrete, not abstract.
Retention: e.g. 24 months from scan, then automatic deletion. State the exact duration, not "as long as needed".
Recipients: data processor, manufacturer cluster (scanner manufacturer), possibly AI sub-processor for report generation. With hosting location.
Third-country transfer: if applicable, with legal basis (e.g. EU-US Data Privacy Framework, standard contractual clauses, adequacy decision).
Right to revoke: at any time, with the note that processing before revocation remains lawful. Low-threshold revocation channel (email address, web page).
Data rights: access (Art. 15), rectification (Art. 16), deletion (Art. 17), data portability (Art. 20), complaint to supervisory authority.
Consequences of refusal: e.g. "without consent the digital report cannot be created, the medical consultation can take place independently".

Formally, consent can be given in writing or electronically. The key is documentation: the data controller (the practice) must be able to prove that consent was given (Art. 7(1) GDPR).

Additional German BDSG requirements

Germany uses the opening clause in Art. 9(4) GDPR and sets additional conditions in the BDSG for processing special categories of personal data. § 22 BDSG names protective measures that must be in place, such as technical and organisational measures, pseudonymisation, access restrictions, awareness training for staff and selection/control measures for data processors. These measures must be documented in the processing record and in the data-processing agreement with the software provider.

Revocation in practice reality

Revocation must be as easy as the original consent (Art. 7(3) GDPR). Consent given digitally must be revocable digitally. Practice-relevant consequences:

The digital report is deleted on request. Processing before revocation remains lawful, the report was permitted at that time.
Captures are removed from storage, cascade deletion across backups within the next backup rotation. Duration documented in the processing record.
The medical record with the written report summary remains subject to professional retention periods (typically 10 years per § 10 MBO-Ä), because it is governed by statutory documentation duty, not by GDPR consent.

Typical traps

Blanket consent at practice entrance: Consent for biometric data must be specific; a generic consent "for all digital applications" is not sufficiently explicit.
Consent as a condition for treatment: Consent must be voluntary. If no medical care follows without consent, voluntariness is attackable. Clean: medical care runs independently, only the digital report component is dropped.
No reference to the data processor: Patients must know who technically accesses the data. Name the software provider with its hosting location.
Outdated retention period: When the retention period changes, the consent must be renewed or at least informed, depending on the depth of the change.
Unclear controller/processor split: The practice remains controller, the software is processor. Confusing this costs in a dispute.

What Dermalia provides to your practice

We provide your practice with a consent template attached to the data-processing agreement that covers the requirements above and is specifically tailored to 3D skin analysis. It remains in your responsibility, you must adapt the text to your practice specifics (practice name, concrete indications, additional sub-processors on your side, etc.). We explicitly do not offer legal advice, an external data protection officer or a specialist medical-law attorney is the right instance for the final review.

Sources and further reading

Art. 9 GDPR processing of special categories of personal data, statute text: dejure.org/DSGVO/9
Art. 7 GDPR conditions for consent: dejure.org/DSGVO/7
§ 22 BDSG, processing of special categories of personal data: gesetze-im-internet.de/bdsg_2018/__22
German Federal Commissioner for Data Protection, sensitive data under GDPR: bfdi.bund.de

As of May 2026. This article is orientational professional information for practices, not legal advice in the individual case. The final evaluation of your consent texts belongs in the hands of your data protection officer or a specialist medical-law attorney.