Why a clinic phone call is special
GDPR-compliant call recording in a clinic is not the same as on a webshop’s support line. When a patient calls, they rarely stop at their name and phone number. They describe what hurts, which treatment they’re coming for, what symptoms they have — in other words, they hand over health data. That is a special category of personal data under GDPR Article 9, demanding higher protection and stricter conditions than an ordinary contact detail.
A recorded or AI-processed call is therefore doubly sensitive: it contains both an identifiable person and information about their health. That’s what makes this a YMYL-level topic, and why the process is worth building correctly from the ground up.
This article is general information and does not constitute legal advice. Always confirm the compliance picture for your own clinic with a data protection expert or lawyer.
Who’s who in data protection: controller and processor
You can’t get compliance right without clarifying the roles:
- The clinic is the controller. It decides why and how the call data is processed (booking, call-backs, documentation).
- The AI phone vendor is typically a processor. It handles the data on the clinic’s instructions and on its behalf, and does not use it for its own purposes.
Under GDPR Article 28, a data processing agreement (DPA) between the two is mandatory. It records what the vendor may process, for how long, under what security conditions, and what happens when the contract ends.
A GDPR requirements checklist for clinic calls
Phone-based processing must satisfy the following principles and obligations:
| Requirement | GDPR basis | What it means in practice |
|---|---|---|
| Lawful basis | Art. 6 + Art. 9(2) | A general basis for handling the call (e.g. contract, legitimate interest), plus an Article 9 exception for the health data |
| Transparent notice | Art. 13–14 | The caller must be told at the start about recording, the purpose, and their rights |
| Purpose limitation | Art. 5(1)(b) | The data is used only for the original purpose (booking, care), not repurposed |
| Data minimization | Art. 5(1)(c) | Only the strictly necessary data is recorded |
| Storage limitation | Art. 5(1)(e) | A defined, predefined retention period, then deletion or anonymization |
| Security | Art. 32 | Encryption, access control, logging — technical and organizational measures |
| Data subject rights | Art. 15–22 | Access, rectification, erasure and objection must be actionable |
The most commonly neglected item on this list is retention. Many clinics keep recordings for years “just in case” — which is precisely what violates the storage limitation principle.
Notice: the caller must be informed
The fact of recording cannot stay hidden. At the start of the call — typically with a short announcement — you must state that the conversation is being recorded or processed by an automated system, and where the detailed privacy notice can be found. Clarity is key: a patient is only in a genuine position when they know what’s happening to their data and whom to ask about it.
What to ask an AI phone vendor
Before rolling out an AI assistant, ask for concrete, verifiable answers:
- Where is the data stored? EU-based processing is the cleanest option, because it avoids the question of transfers to a third country.
- Is there a data processing agreement? Don’t start without a signable DPA.
- What is the retention period, and is it configurable? It should be defined and, ideally, adjustable to the clinic’s needs.
- What security measures protect the data? Encryption, access control, logging.
- What happens when the contract ends? Return or deletion of the data should be contractually fixed.
- How are data subject rights handled? The vendor should support an erasure or access request.
If there are no clear answers to these questions, that in itself is a signal.
What MediVox does for compliance
MediVox doesn’t bolt these principles onto the product afterward — they’re built in. The security and compliance module is built on:
- EU-based data handling, to avoid the complexity of transfers to a third country.
- A defined retention period: data isn’t kept longer than the purpose requires.
- A data processing agreement (DPA) for clinics, in line with GDPR Article 28.
- Access control and logging, so only authorized people can reach the data.
- Data minimization: the assistant focuses on the data needed for the booking.
Important: these describe how the product is designed, but actual compliance is always the shared responsibility of the clinic and the vendor. MediVox does not promise a certification it can’t substantiate — request the specific details in writing before signing.
On the business side of phone availability, we’ve written in detail before: it’s worth reading what a missed call costs a practice — because compliance and revenue aren’t in conflict with each other.
Supervisory context
In the EU, the General Data Protection Regulation applies directly, and each member state has a supervisory authority overseeing it (in Hungary, for example, the National Authority for Data Protection and Freedom of Information, NAIH, alongside national law). Their guidance and decisions offer useful reference points. The full official text of the GDPR is available here.
In summary
Clinic call data is sensitive because it both identifies a person and reveals something about their health. Compliance is not a single checkbox but a process: a clear lawful basis, prior notice, purpose limitation, data minimization, a defined retention period, strong security, and enforceable data subject rights. If you use an AI assistant, add a proper data processing agreement and EU-based handling on top of that. And finalize the specifics for your own clinic, tailored to your situation, with expert input.
