In late July, Italy’s Data Protection Authority (DPA) issued a warning about what it considered a troubling new trend: the uploading of sensitive medical data—including clinical analyses, X-rays, and other diagnostic reports—into generative AI platforms.

Described as an “alarming phenomenon,” the DPA’s press release highlights its concerns about how these platforms handle sensitive personal data, particularly health-related information. This comes amid increasing global scrutiny of AI models and their compliance with data protection standards.

Italy’s Active Role in AI Oversight

Italy’s DPA has emerged as one of the most prominent regulators in the AI and data privacy space. It was the first to request a temporary suspension of ChatGPT in March 2023, citing concerns about the platform’s data handling practices. More recently, it made a similar move with Deepseek in January 2025.

This latest statement underscores Italy’s intent to maintain its prominence in shaping how AI and personal data—especially sensitive categories like health data—should be managed under GDPR.

Key Takeaways for Data Controllers

The DPA’s guidance contains several clear directives for data controllers, particularly those in healthcare and adjacent sectors:

• Professional Oversight is Essential: Any AI-generated analysis or response involving clinical data should be verified by a qualified medical professional. Relying solely on AI outputs, especially in a healthcare setting, could pose risks to patient safety and data integrity.
• Understand the AI Platform’s Data Practices: Before uploading any personal data to generative AI models, controllers must consult the platform’s privacy policy to understand how that data will be stored, retained, or potentially used in future model training.

What This Means for Healthcare Providers and AI Users

These warnings don’t just apply to the developers of AI platforms—they extend to the hospitals, general practitioners, and other entities feeding data into these systems. Simply put, uploading patient data without appropriate safeguards and legal basis is not only risky but may be unlawful.

A Data Protection Impact Assessment (DPIA) is likely to be essential in such circumstances. Such assessments should include:

• A clear justification for using AI in processing patient data;
• A legal basis for data processing under GDPR;
• Risk assessments related to re-identification, misuse, or unauthorized access;
• Safeguards to ensure that, for example, a summarised medical report, doesn’t inadvertently appear in future AI outputs—or worse, become accessible via search engines, as happened last month with some queries to ChatGPT, though this was quickly removed after public backlash.

Conclusion

The use of generative AI must be approached with care, including and especially when it involves sensitive categories of personal data like health records. Organizations using or integrating such technologies need to ensure compliance not just in the development phase, but also in deployment and day-to-day use. This includes understanding where inputs might end up after submitting them, and ensuring quality control before using outputs.

Failing to do so may expose individuals to privacy risks—and organizations to regulatory, and public scrutiny.

If your organization is exploring the use of generative AI in a healthcare or data-sensitive context, our team can help you navigate the complex regulatory landscape. From conducting DPIAs to reviewing platform privacy policies and designing compliant workflows, we’re here to support you.

Get in touch with our team to discuss how we can help you manage AI risk and protect personal data responsibly.