Skip to content
Athegus

May robots in hospitals listen in? Voice control and data protection

May robots in hospitals listen in? Voice control and data protection

Publication: Service Robots in Hospitals – On the Data Protection Assessment of Voice-Controlled Systems

Authors: B. Buchner, S. Schmidt, S. Wilhelm

Published in: Datenschutz und Datensicherheit – DuD 49 (8), pp. 527–532 (2025)

DOI: 10.1007/s11623-025-2133-0

In brief

A robot that responds to your voice is far more useful in a busy hospital than one that must be operated through a cumbersome interface. Nursing and service staff on a ward rarely have a hand free; anyone who has to steer a transport robot, a reception assistant or a delivery service through a touch panel loses time and attention precisely where both are scarce. Voice is therefore the obvious way to operate such a system – it works in passing, on the move, without having to stop and tap.

But voice control means the robot is listening – and in a hospital's public areas, patients, visitors and staff inevitably end up on the microphone. Anyone speaking in an entrance hall, a corridor or in front of a lift is not only issuing commands; snatches of conversation, names, sometimes even hints about a person's own state of health are picked up alongside. That puts us squarely into data-protection law.

This paper, written in collaboration with Prof. Dr. Benedikt Buchner (University of Augsburg), systematically analyses whether and how voice-controlled service robots can be operated lawfully in Bavarian hospitals. It is one of the few legally grounded examinations of a technology that has long been technically available but legally barely understood. Rather than treating the question in the abstract, the study works from a concrete deployment scenario, making it visible exactly where the technology actually touches the legal framework.

Why a hospital is a particularly sensitive place

A hospital is no ordinary public space. Almost everyone who enters does so in a vulnerable situation – as a patient, as a relative, as someone waiting for a diagnosis. Mere presence alone can permit inferences about a person's health. That is precisely why protecting data here is not just a formal duty but a precondition for the trust without which medical care cannot function.

On top of that, those affected cannot avoid a robot in the corridor the way they can choose not to use an app. They do not pick the situation; they find themselves in it. A technology that listens in this environment must therefore be designed from the outset to take the protective needs of this particular place seriously – not after the fact, through notices and consents that nobody reads in the bustle anyway.

The core question: are voice data especially sensitive?

At the centre is the classification of voice data. Is it personal data? As a rule, yes. And does it even fall into the category of special-category data – such as health data under Art. 9 GDPR – the moment someone speaks about their concern in front of the robot? The answer determines how high the legal bar sits.

The difference is considerable: ordinary personal data is subject to the regular standard of lawful grounds for processing; special-category data is additionally subject to a general prohibition on processing, from which deviation is permitted only under narrow conditions. Whether an utterance becomes a statement about health by its content alone cannot be answered across the board – it depends on what is said and in what context. Working out this distinction cleanly is the real legal labour of the paper.

The paper examines this against the relevant frameworks: the GDPR, the German Federal Data Protection Act (BDSG) and – as a regional particularity – the Bavarian Hospital Act (BayKrG). Using a concrete use case, it works through to what extent a voice-controlled robot may be deployed at all in a hospital's publicly accessible areas. The fact that, alongside European and national law, Bavarian regional law also comes into play shows how tightly the regulatory layers are interwoven – and why a hasty answer rarely holds.

The answer lies in the technology

The conclusion is not a blanket "prohibited" but a line of reasoning for operation that is both lawful and practical. The key is technical safeguards, above all two principles:

  • Local processing: voice data is processed on the device or within the hospital infrastructure, not transferred to an external cloud.
  • Immediate deletion: audio recordings are deleted right after processing – not stored, not shared.

The thinking behind this is the same that underpins data-protection law as a whole: what is never permanently captured, stored or passed on cannot be misused, lost or repurposed either. Local processing prevents sensitive content from leaving the building and slipping out of the hospital's control. Immediate deletion ensures that once a task is done, no usable body of data remains. Neither measure is a retrofitted safeguard; both are part of the technical design itself – they put the principles of data protection by design and by default into practice.

Building data minimisation and privacy into the architecture this way lets you reap the benefits of voice control without disproportionately interfering with the rights of those affected. Legal assessment and technical design thus converge: here, a cleanly built architecture is at the same time the best legal defence.

Why this is central for us

This insight is not a legal footnote but a design requirement for our products. "Process locally, delete immediately" is exactly the line we pursue with the Axiona middleware and with hospOS: a software layer that controls data flows and keeps sensitive data from leaving the building in the first place. For us, data protection and digital sovereignty are not an after-the-fact compliance chore but part of the architecture – and this publication provides the legal rationale for it.

For hospitals this brings a practical advantage: they do not have to choose between ease of use and legal certainty. An architecture that holds data back by default makes the data-protection assessment easier, reduces the attack surface and makes deploying new technology defensible in the first place. This very combination of benefit and sovereignty is the standard against which we measure our systems – more on this under digital sovereignty.

Note: the paper assesses the legal situation as of publication (2025) and does not replace case-specific legal advice.

Read the publication →

May robots in hospitals listen in? Voice control and data protection | Athegus