Book introduction
Back to Insights
AI & Compliance

AI in Dutch healthcare: opportunities, risks and GDPR compliance

7 min lezen
AI in Dutch healthcare: opportunities, risks and GDPR compliance — practical AI guide for SMEs

AI is permitted in Dutch healthcare — but only under strict GDPR and EU AI Act conditions. Discover which applications are legally allowed, what the risk classes are, and how to set up a GDPR-compliant AI pilot.

AI is permitted in Dutch healthcare — but only under strict GDPR and EU AI Act conditions. Patient data are special personal data under GDPR, and many AI systems in healthcare fall under the EU AI Act as high-risk. When you know what's permitted and what's not, you can deploy AI safely and effectively for your healthcare organization.

Which care tasks AI already supports reliably in 2026

In 2026, AI tools support a broad range of care tasks — from administration to clinical decision support. The technology is most reliable for tasks involving repetitive work where the risk of incorrect output is manageable.

Administrative tasks are safest to automate:

  • Automatically filling patient records based on conversation notes
  • Processing referral letters and correspondence
  • Scheduling and capacity planning

Supporting clinical tasks are possible, but require more care:

  • Triage systems that assess urgency and route patients
  • AI-assisted medical imaging (X-ray, MRI) — always with doctor as final decision-maker
  • Predictive models for readmission or medication risks

The red line: AI supports, the healthcare provider decides. This is not just ethically sound — it's legally required.

GDPR and medical data: what's allowed and what absolutely isn't

Patient data are special personal data under GDPR. They receive extra protection — with direct consequences for how you can deploy AI.

What's allowed:

  • AI processes patient data with valid legal basis: patient consent, or a legal obligation
  • Processing for direct patient care: record-keeping, communication with referrers, appointment management
  • Processing for quality improvement and research — provided it's anonymized or with explicit consent

What absolutely isn't allowed:

  • Sharing patient data with AI vendors outside the EEA without valid transfer mechanisms
  • Making care decisions entirely automatically by AI (no human oversight)
  • Using data for AI training without explicit consent or valid legal basis

Practical obligation: For any AI project processing patient data with elevated privacy risk, a Data Protection Impact Assessment (DPIA) is mandatory. This applies to virtually all clinical AI applications. Data breaches must be reported within 72 hours to both the IGJ and the Authority for Personal Data.

EU AI Act: risk classes for healthcare applications

Since August 2026, core EU AI Act provisions are in effect. The law divides AI systems into four risk classes:

Risk classWhat's includedConsequence
UnacceptableProhibited applications: social scoring, manipulative AIBan
High riskNearly all clinical AI: diagnosis, triage, monitoringStrict requirements: documentation, human oversight, EU registration
Limited riskChatbots for patients, AI that summarizes medical textTransparency obligation: patient must know AI is involved
Minimal riskScheduling software, spam filters, admin toolsNo specific AI Act requirements

Concretely for healthcare organizations: If you use AI for diagnosis, triage or vital sign monitoring, you almost certainly fall under high risk. This means:

  • Setting up and documenting a risk management system
  • Keeping technical documentation on the AI system
  • Registering the system in the EU AI database
  • Ensuring human oversight is demonstrably embedded in processes and procedures

The Authority for Personal Data (AP) and the Dutch Digital Infrastructure Inspectorate (RDI) are the oversight bodies in the Netherlands.

Real-world examples: digital intake, administration, reporting and triage

What does GDPR-compliant AI deployment look like in practice? Four concrete examples:

1. Digital intake

A GP practice implements an AI chatbot that helps patients fill out their complaints before the appointment. The chatbot stores no medical data itself — information goes directly to the doctor's HIS. The patient consents upfront and knows they're talking to AI. Time savings: average 8 minutes per consultation.

2. Administration and record-keeping

A home care organization uses an AI tool that automatically creates reports after each visit based on the caregiver's spoken notes. The caregiver reviews and approves before storage. The vendor has no access to patient data — processing happens locally or via a data processing agreement.

3. Reporting to referrers

A rehabilitation center uses AI to generate standardized progress reports for referring specialists. AI works with templates; only after staff review are personal data added to the final report.

4. Triage

An ambulance service tests an AI system that classifies incoming calls by urgency. The system makes a recommendation — the dispatcher always decides. Classification: high-risk AI Act. Requires: complete technical documentation and periodic audit.

How to set up a GDPR-compliant AI pilot in healthcare

An AI pilot in healthcare proceeds in five steps:

Step 1: Determine the risk class

Is it clinical support? Then it's almost certainly high-risk. Is it pure administration? Possibly limited or minimal risk. This determines which requirements apply.

Step 2: Conduct a DPIA

Map which personal data are processed, what the risks are, and what measures you're taking. Document this before the pilot starts.

Step 3: Sign a data processing agreement

With every AI vendor processing patient data, sign a data processing agreement. Ensure data aren't stored or processed outside the EEA without valid transfer mechanisms.

Step 4: Ensure demonstrable human oversight

Document who's responsible for AI-supported decisions. This must always be a qualified healthcare provider — not the system.

Step 5: Monitor and document continuously

Keep a log of AI decisions, deviations and incidents. This is mandatory for high-risk AI and essential during any inspection by IGJ or AP.

Unify AI's approach for healthcare organizations

At Unify AI, we help healthcare organizations deploy AI responsibly and effectively — without getting lost in legal complexity. We always start with a risk analysis: which tasks lend themselves to automation, what are the compliance obligations, and where's the biggest return?

Then we implement step by step: start small, measure, adjust. No large IT projects, but working pilots that deliver proven results. Our healthcare clients save an average of 4 to 6 hours per staffer per week on admin work — while maintaining complete compliance.

Want to know which AI applications are feasible for your healthcare organization? Get in touch for a free exploratory conversation.

Frequently asked questions

Which AI applications are legally permitted in Dutch healthcare?

AI is permitted provided you comply with GDPR, the EU AI Act and — for medical devices — the MDR. Administrative AI (record-keeping, scheduling, reporting) has the fewest requirements. Clinical AI (diagnosis, triage) is almost always high-risk and requires a DPIA, technical documentation and demonstrable human oversight.

Can I use patient data to train an AI model?

No, unless you have explicit patient consent or the data are completely anonymized. Anonymization is stricter than pseudonymization — the data must not be traceable to an individual in any way.

What is a DPIA and when is it mandatory in healthcare?

A Data Protection Impact Assessment (DPIA) is a privacy risk analysis you conduct before deploying AI that processes special personal data with elevated risk. In healthcare, this is almost always mandatory for clinical AI applications.

What changes with the EU AI Act for care organizations?

From August 2026, high-risk AI systems in healthcare must meet strict requirements: risk management system, technical documentation, EU registration and demonstrable human oversight. Existing systems may receive extensions until end 2027 via the Digital Omnibus.

Does my healthcare organization need a specialized AI partner?

For administrative tasks you can start with standard AI tools, provided the data processing agreement and GDPR obligations are in place. For clinical applications, working with a specialized partner familiar with compliance requirements is strongly recommended.

Recommended for you

Related articles

Keep reading: articles that best match this topic in terms of content.

ChatGPT for businesses: privacy, GDPR and safe use - Can you use ChatGPT with customer data? Learn what GDPR obligations apply, how subscriptions differ, and which data should never go into ChatGPT.
24 mei 20267 min
ChatGPT for businesses: privacy, GDPR and safe use
Can you use ChatGPT with customer data? Learn what GDPR obligations apply, how subscriptions differ, and which data should never go into ChatGPT.
Read more
AI in healthcare: automation for small practices without GDPR risk - Small healthcare practices can safely use AI for administrative tasks. Discover what is allowed, what is not, and how you save 4 to 8 hours per week without GDPR risk.
2 mei 20268 min
AI in healthcare: automation for small practices without GDPR risk
Small healthcare practices can safely use AI for administrative tasks. Discover what is allowed, what is not, and how you save 4 to 8 hours per week without GDPR risk.
Read more
OpenClaw in 2026: Capabilities, Risks and Safe Use - OpenClaw can fully automate email, calendar and tasks — but 70% of security tests fail. The Dutch Data Protection Authority warns. Learn what it can do and what the risks are.
4 feb 20267 min
OpenClaw in 2026: Capabilities, Risks and Safe Use
OpenClaw can fully automate email, calendar and tasks — but 70% of security tests fail. The Dutch Data Protection Authority warns. Learn what it can do and what the risks are.
Read more
Which AI Tools Really Work for SMEs? (Top 20 Review) - Which AI tools genuinely work for SMEs? Review of 20 tools with pricing, ROI, and integrations (Exact Online, AFAS, HubSpot). Choose the right tool.
29 dec 202514 min
Which AI Tools Really Work for SMEs? (Top 20 Review)
Which AI tools genuinely work for SMEs? Review of 20 tools with pricing, ROI, and integrations (Exact Online, AFAS, HubSpot). Choose the right tool.
Read more

Next step

From insight to implementation

This article explains how it works — we help SMEs to actually build it and connect it to your software.

Free AI scanAI AgentsFree consultation

Discover your biggest automation opportunities

More from UnifyAI

Discover our services

AI ConsultancyStrategic advice and AI roadmapView AI TransformationFixed AI partner (12+ months)View AI AgentsIntelligent agents working 24/7View AI CoachingPersonal 1-on-1 guidanceView AI TrainingWorkshops and team trainingView