Do I need patient consent to do an AI analysis of my patient’s photo without creating a case in GMDB?

Yes, patient consent is required for analyzing a patient’s photo with GestaltMatcher AI, unless you have a data processing agreement (DPA) in place with the provider. A DPA allows the analysis to be performed under GDPR-compliant data processing, for example via an Application Programming Interface (API), without additional consent.

The need for consent depends on how you use GestaltMatcher AI:

A. Analysis within your own institution’s IT infrastructure (on-premise):
If GestaltMatcher AI runs locally within your institution's IT infrastructure, the data does not leave your institution. In this case, no additional consent is required, as the analysis falls under the existing treatment relationship (Germany: Behandlungsvertrag).

B. Analysis via API with a data processing agreement (DPA):
If you access GestaltMatcher AI through an Application Programming Interface (API) and have a data processing agreement (DPA) with the provider of the service, no additional consent is needed. In this case, the provider acts as a data processor under GDPR.

C. Analysis using the GestaltMatcher app or the Analyze Patient feature on GMDB without a DPA:
If you analyze a photo via the web interface or mobile app (Android | Apple) and no DPA exists, explicit patient consent is required. In this case, the data is processed by an external provider and thus qualifies as data sharing under GDPR.

Also important:

• This section refers specifically to analysis with GestaltMatcher AI, so “consent” means permission to analyze the photo, not consent for publication in the GestaltMatcher Database.
• When you use the app or the Analyze Patient function, the image is not stored long-term, it is only used for the AI analysis session and then deleted.
• There is no automatic link between the app and GMDB. Analyzing a photo does not create a case in the database.

→ See also: Do I need patient consent to upload a case to GMDB?