Why your dental chatbot may be breaking the law — and what to do about it

In this article, we break down what the law says, where common chatbot solutions fall short, and what your clinic needs to do to stay compliant — especially with GDPR and the upcoming EU AI Act.

In October 2024, the Court of Justice of the EU issued a landmark ruling in case C-21/23 (Lindenapotheke). In simple terms: the court held that data related to orders for medical products can be classified as sensitive data under Article 9 of the GDPR — even if the product itself does not directly reveal a health condition.

For dentistry, this has a concrete implication: the mere fact that someone books a dental appointment may qualify as health data. A chatbot that collects information about appointment times, symptoms, or treatment history is processing special category data.

The consequences are significant. Processing sensitive data requires an explicit legal basis — typically the patient's explicit consent (Article 9(2)(a) GDPR). It also requires additional technical and organisational safeguards that many popular chat tools simply do not offer.

General-purpose chat widgets — the kind you can install on your website in minutes — were not designed with health data in mind. Their servers are often located in the US, and their data processing agreements (DPAs) do not account for the specifics of Article 9 GDPR. Some explicitly prohibit processing special category data in their terms of service.

The same applies to chatbots built into marketing tools and CRM systems. They are designed for sales and lead generation, not for protecting medical data. They lack end-to-end encryption, granular retention controls, and consent mechanisms tailored to healthcare requirements.

The biggest issue is that most clinics do not realise they need special protections. The chatbot "just works" — but from a legal standpoint, it may be creating exposure to fines of up to EUR 20 million or 4% of annual turnover.

In August 2026, the transparency obligations under the EU AI Act (Regulation (EU) 2024/1689) come into full effect. Article 50 requires providers of AI systems that interact with people to clearly inform the user that they are communicating with an AI — not a human.

Penalties for non-compliance reach EUR 15 million or 3% of global turnover — whichever is higher. Most dental chatbots do not identify themselves as AI. After August 2026, this will be unlawful.

An additional requirement applies to synthetic audio: voicebots and voice assistants must be labelled as AI-generated. If your clinic uses a voicebot to answer phone calls, this regulation applies to you too.

A DPA (data processing agreement) with your chatbot provider compliant with Article 28 GDPR — this is the foundational document governing who processes your patients' data, how, and for what purpose. A DPIA (data protection impact assessment) should be carried out if your chatbot processes data about appointments, symptoms, or treatment history.

A GDPR information notice for patients using the chatbot — patients must know what data is collected, for what purpose, and how long it will be retained. Servers processing data should be located in the EEA (not the US), unless a valid adequacy decision is in place or standard contractual clauses are applied.

An AI identification mechanism in the patient conversation — the chatbot should clearly communicate that the user is speaking with artificial intelligence. A data retention policy should specify how long conversation records are kept and when they are deleted.

Flowright is built from the ground up for EU law compliance. The infrastructure runs exclusively on servers within the European Economic Area, and a DPA is included as a standard part of every client agreement. Each clinic also receives a DPIA template tailored to the specifics of a dental chatbot.

The Flowright chatbot automatically identifies itself as AI at the start of every conversation, meeting AI Act requirements ahead of their enforcement date. Every client receives a full legal documentation package — ready to present in case of a supervisory authority audit. The information on this page is general in nature and does not constitute legal advice.

Not sure whether your current chatbot meets the requirements? Book a free consultation — we will review it together. We will analyse your current tools, identify compliance gaps, and propose concrete remediation steps.