The framing mistake that triggers most clinic GDPR issues
Europe closed 2025 with roughly €1.2 billion in accumulated GDPR fines (DLA Piper, January 2026). Spain leads EU countries by number of fines issued, with 651 sanctioning files on record (Statista, 2024), and the AEPD has kept the healthcare sector under close watch.
Most clinics that run into GDPR problems don’t do it in bad faith. They do it through a framing mistake. They treat call recordings (or WhatsApp threads) as if they were just audio files or chat logs. GDPR treats them as health data when they happen in a clinical context. That single difference changes the applicable legal basis, the retention period, the vendor contract and the patient rights you need to support.
This guide covers the points a clinic needs settled before recording a single call or storing a single WhatsApp message, and the ones to revisit when you bring in an AI assistant. Written for chiropractors, physiotherapists and osteopaths operating in Spain or anywhere in the EU.
What GDPR considers “voice data” and “WhatsApp data” in a clinic
Voice, on its own, is personal data. The Spanish AEPD has confirmed it in several resolutions: the timbre and biometric features of a voice allow identification of an individual, which places voice under GDPR.
The same logic applies to WhatsApp messages: phone number, full message content, attachments, timestamps. All personal data.
Inside a clinic the nuance goes further. When a patient calls or messages to book an appointment, describe symptoms or ask about a treatment, the conversation contains information about their health. That information becomes health data, covered by Article 9 of GDPR as a special category. Processing health data requires a reinforced regime: a legal basis from Article 6 plus an exception from Article 9 that allows handling it.
Recording a call at a tax office is not the same as recording one at a physio clinic. The clinical content of the second turns the audio file (or the WhatsApp thread) into a health record, even if the patient only contacted you to book a session.
The legal basis: when consent works and when legitimate interest does
GDPR Article 6.1 lists six legal bases for processing personal data. Consent isn’t the only one, and for clinic communications you need to choose with care.
Consent is the cleanest basis when you record or store for training, quality control or service improvement. It has to be freely given, specific, informed and unambiguous, and the patient must be able to withdraw it any time. A one-liner at the start of the call (“this call may be recorded”) is no longer enough: the AEPD expects patients to be able to object without losing the service.
Legitimate interest fits when the recording or message storage serves to document the operation (proving the patient accepted an appointment or a price quote). IAPP (2024) explained that call centres can rely on legitimate interest for service recordings, provided they run the balancing test and the patient’s interest doesn’t override it.
Contract performance works for the administrative part of the interaction (booking, confirming, cancelling), but it doesn’t cover the health data that shows up inside the conversation. For that you have to layer an Article 9 exception on top: usually explicit patient consent, or necessity for preventive medicine, diagnosis, or the provision of healthcare.
The combination that works best in a clinic is usually: legitimate interest for the operational data, plus explicit consent for the clinical content of the conversation.
Five minimum requirements to handle voice and WhatsApp without exposing the clinic
1. Inform before recording or storing. GDPR forbids silent recordings. The patient has to know the call is being recorded or that their WhatsApp messages get stored, for what purpose, who the controller is, and how to exercise their rights. A short audio notice at the start of the call plus a link to the privacy policy works. For WhatsApp, a one-time onboarding message covering the same points.
2. Minimise the data. Only record and store what’s needed for the stated purpose. If the goal is to confirm a booking, there’s no reason to keep five minutes of clinical conversation. Well-configured AI assistants retain the structured transcript of the booking, not the full audio. Same logic for WhatsApp: keep what’s necessary for service continuity, delete the rest.
3. Encrypt in transit and at rest. TLS 1.2 or higher for transport and AES-256 for storage are the minimum the AEPD looks at during healthcare inspections. The encryption has to be provable with vendor documentation.
4. Host in the EU. Hosting outside the European Economic Area requires an international transfer with safeguards (standard contractual clauses, adequacy decision). For a small clinic this rarely pays off. If the vendor can’t host natively in the EU, that’s a friction point to sort out before signing.
5. Sign a data processing agreement (DPA). It’s the document governing what the vendor does with your patients’ data. Without it, liability falls entirely on your clinic. Serious vendors provide it by default. HeyCAi includes the DPA before the main contract.
Retention: reasonable periods and what the AEPD expects
GDPR doesn’t set fixed retention periods. It requires data not to be kept longer than necessary for the purpose. That wording leaves room, but there are practical references.
For service calls in general call centres, the common range is 12 to 24 months (NiCE, 2024). For calls with clinical content that period shrinks considerably. In practice, 90 days is a reasonable cap for raw audio of a healthcare call. After that, the sensible path is to keep only the structured transcript (date, time, reason, booking confirmed) and delete the audio.
For WhatsApp, similar logic. Operational messages (confirmations, reschedules) can be kept longer for traceability, but anything containing clinical content should follow the 90-day cap unless it becomes part of the patient’s medical file.
The exception is calls or messages that become part of a medical record. In that case sector-specific retention applies: in Spain, Law 41/2002 requires clinical documentation to be kept for at least five years from discharge. But that applies to clinically relevant content, not to the full recording of every scheduling call.
A common mistake is keeping everything “just in case”. The AEPD reads that as processing without a defined purpose, and it’s one of the most frequent causes of retention-based fines in the services sector.
Patient rights your vendor must be able to handle
Patients have six main GDPR rights: access, rectification, erasure, objection, restriction and portability. For voice recordings and WhatsApp threads, the first four are where friction shows up.
Access. If the patient asks for a copy of their recordings or messages, the clinic has one month to deliver (Article 12.3 GDPR). The AI vendor has to let you export the data identified by patient. If it can’t, your clinic is out of compliance.
Erasure. The right to be forgotten means permanently deleting audio, transcripts and messages. A vendor that just “marks as deleted” without physical erasure doesn’t comply. Backups follow the same rule: rotation schedule should be documented.
Rectification. If the patient spots an error in a transcript (a misattributed symptom, for example), they have the right to have it corrected. Easier on structured transcripts than raw audio.
Objection. The patient can object to being recorded or messaged. If the legal basis was consent, withdrawal is immediate. If it was legitimate interest, the clinic has to run a new balancing test, which rarely ends in the clinic’s favour.
What to ask your AI vendor before signing
A short, practical list:
| Question | Answer to accept |
|---|---|
| Where is the data hosted? | EU, region confirmed in writing |
| Encryption in transit and at rest? | TLS 1.2+ and AES-256, documented |
| Retention for audio and transcripts? | Audio: 90 days max. Transcripts: configurable |
| Retention for WhatsApp messages? | Configurable, with clinical-content rules |
| Access/erasure request handling? | Dashboard with per-patient export and deletion |
| Data Processing Agreement? | Yes, signed before the main contract |
| Sub-processors used? | Public, maintained list |
| Breach notification? | Under 72h to the controller (your clinic) |
The sub-processor question is the one most vendors dodge. Every AI assistant leans on several providers underneath (language model, transcription, telephony, storage, WhatsApp BSP). The list must be available and current, and each one should have its own processing contract.
Frequently asked questions
Do I need explicit patient consent to record the call or store WhatsApp messages?
For recording the operational part (booking, confirming, cancelling) you can rely on legitimate interest if you pass the balancing test. For the clinical content inside the conversation, you do need explicit patient consent under Article 9 GDPR. In practice, a notice at the start of the call plus documented consent in the patient’s record is the cleanest path. For WhatsApp, a one-time onboarding consent message at first contact.
How long can I keep call recordings and WhatsApp messages?
There’s no fixed period. The GDPR rule is not to keep more than necessary. For healthcare calls, 90 days is a reasonable cap on raw audio. After that, common practice is to keep only the structured transcript (date, reason, booking). If the recording becomes part of the patient’s clinical record, healthcare-specific retention applies (at least 5 years in Spain under Law 41/2002).
Can I use an AI assistant whose vendor hosts data in the US?
Yes, but it adds complexity. You’d have to sign standard contractual clauses, document an international transfer and assess the destination country’s protection level. For a small clinic it rarely pays off. The cleanest option is a vendor with native EU hosting, ideally with the region confirmed in writing.
HeyCAi hosts in the EU by default.
What happens if a patient exercises their right to be forgotten?
Your clinic has one month to respond. The AI vendor must let you identify every recording, transcript and WhatsApp message tied to that patient and delete them permanently, including backups. If the vendor only “marks as deleted” without physical removal, compliance is partial and liability stays with your clinic.
Who’s responsible if a breach happens at the vendor?
Your clinic is the controller and answers to the patient and the data protection authority. The vendor is the processor and answers to the clinic according to the signed contract. That’s why the contract needs to spell out security obligations, breach notification under 72 hours and assistance if the authority requests it. Without that contract, all liability concentrates on the clinic.
If you want to see how HeyCAi handles these compliance points in practice, get a live demo call in 30 seconds. For the voice side specifically (where the GDPR concerns are most acute), HeyCAi Voice on callcai.ai has more detail.