GDPR for AI in healthcare 2026: 12-point checklist before signing with a vendor

You're a doctor, dentist, clinic manager. An AI vendor gives you a compelling demo. Before signing, here are the 12 points to verify so you don't end up CNIL non-compliant in 2026.

1. Geographic data hosting

Patient data must be stored in Europe — ideally France. Ask for the exact data center name (AWS eu-west-3 Paris, OVH Roubaix, etc.). If vendor says "Europe" without specifics, beware.

2. HDS certification (Health Data Hosting)

HDS is mandatory in France to store patient data. Ask for HDS certificate of vendor or its cloud subcontractor. Supabase + Vercel pass through AWS Paris which is HDS certified.

3. DPA (Data Processing Agreement)

The DPA is a written contract formalizing who processes what, for what purpose, with what security measures. Must be provided before signing, not after.

4. Zero retention on AI provider side

If the agent uses OpenAI/Claude/Gemini, outputs may be stored by default for model training. Require "zero retention". Anthropic offers it natively, OpenAI only via "Enterprise".

5. Anonymization before processing

Patient data (name, SSN, allergies) must be anonymized BEFORE being sent to the AI. The vendor should explain the technical approach: pseudonymization, masking, sensitive field abstraction.

6. Patient access right

A patient can ask at any time what data you have on them (Article 15 GDPR). The vendor must have a complete export mechanism in under 30 days.

7. Right to erasure

Same with deletion (Article 17). The vendor must provide a "delete this patient" button that truly purges data in all systems (DB, logs, backups).

8. GDPR audit logs

You must be able to prove who accessed what and when in case of CNIL inspection. Ask if vendor keeps access logs and for how long (typical: 12 months).

9. Declared subcontractors

The vendor must list ALL subcontractors that may touch your data (cloud, email provider, monitoring, support). This list must be in the DPA.

10. Breach notification

In case of data leak, vendor must notify you in <72h so you can notify CNIL. Check the exact clause in contract.

11. Total reversibility

If you leave the vendor, you must recover 100% of data in reusable format (JSON, CSV, SQL dump). And guarantee that everything is deleted after a defined period.

12. Strong authentication

2FA TOTP minimum. SSO recommended for groups (Google Workspace, Azure AD, Okta). SAML 2.0 + SCIM provisioning for >30 user structures.

Conclusion

On these 12 points, a good vendor in 2026 must check at least 10/12. Below, you take a real CNIL risk. To quickly compare: Orkelia checks 12/12. Book 30 min to review your current stack.