External DPO for clinics: when mandatory and cost in 2026

·

If you manage a private medical clinic — whether general medicine, physiotherapy, dentistry, psychology, ophthalmology or any other specialty — you are most likely required to appoint a Data Protection Officer (DPO) and have them duly registered with the Spanish Data Protection Agency (AEPD). The GDPR leaves no room for interpretation when it comes to health data: it is classified as a special category, and that triggers specific obligations that go beyond basic compliance.

This article explains exactly when a DPO is mandatory for a clinic, what functions they must fulfil, why the external figure is the most common option for healthcare SMEs, and what the real market price ranges are in Spain in 2026. You will not find Summum's rates here: the figures we publish are market references based on sector sources.

What the regulations say: GDPR and LOPDGDD

Article 37.1 of Regulation (EU) 2016/679 (GDPR) establishes three scenarios that require the appointment of a DPO. The one that directly affects the healthcare sector is point c: when the controller or processor carries out large-scale processing of special categories of data referred to in Article 9. Health data is, by definition, a special category.

Organic Law 3/2018 (LOPDGDD), in its Article 34, extends the scenarios at national level and expressly mentions healthcare centres that process patient data. The AEPD has also published a guide on the DPO clarifying that the «large-scale» criterion must be interpreted in light of the number of people affected, the volume of data, the duration of the processing and the geographical scope — but that in the healthcare context, the mere existence of an active patient clinical record database may already be sufficient.

In practice, any clinic with active patient clinical records — even if it has only one doctor — must assess whether the obligation applies. Clinics with several professionals, multiple specialties or more than one site almost certainly fall under it.

When is a DPO mandatory for a private clinic: table of scenarios

Type of centre DPO mandatory? Legal basis
Clinic with electronic medical records and more than 200 active patients Yes, with high probability GDPR art. 37.1.c + LOPDGDD art. 34
Psychology or psychiatry practice (additional sensitive data) Yes GDPR art. 37.1.c and art. 9
Physiotherapy centre with a chronic patient base Yes, in virtually all cases GDPR art. 37.1.c
Dental clinic with an external prosthetics laboratory Yes (large-scale processing + data processor) GDPR art. 37.1.c
Self-employed registered doctor, no staff, no digitised records Likely exception, case-by-case analysis Recital 97 GDPR
Clinic with insurance company agreements (Sanitas, Adeslas, Asisa…) Yes (data flow to third parties) GDPR arts. 26, 37 and 28

The AEPD has systematically fined private clinics precisely for failing to appoint a DPO when the obligation existed. The amount of fines for infringement of Article 37 falls within the tier of serious infringements under Article 83.4 of the GDPR: up to 10 million euros or 2% of total annual worldwide turnover, although the proportionality criterion reduces that ceiling for SMEs.

Functions of the DPO in a medical clinic

The DPO is not simply a person who signs documents. Their functions are set out in Article 39 of the GDPR and are enforceable regardless of whether the role is performed internally or externally:

In a private clinic environment, the external DPO also typically handles staff training (doctors, administrative staff, cleaning personnel with access to data areas), keeps the Record of Processing Activities (RPA) up to date — a mandatory document under Article 30 of the GDPR — and reviews contracts with processors such as laboratories, clinical management software providers or insurance companies.

Internal DPO vs. external DPO: why private clinics almost always choose the external option

The GDPR allows both internal and external appointment. However, in healthcare SMEs the balance consistently tips towards the external DPO for several reasons:

If you want to explore how this service is structured for the healthcare sector, you can visit the healthcare GDPR page at Summum Consultoría, which details the specific processing activities in the clinical environment and the security measures required by Spanish regulations.

How much does an external DPO cost for a clinic in Spain in 2026

Market prices in Spain for the external DPO service in the healthcare sector vary depending on several factors. Below is a table of indicative ranges based on market supply (source: sector analysis by data protection specialist consultancies, 2025-2026):

Clinic profile Approximate annual price range Factors that increase the price
Solo or duo practice (1-2 professionals, 1 site) €800 – €1,800 / year Telemedicine, minors, third-party cloud software
Small clinic (3-10 professionals, 1 site) €1,800 – €3,500 / year Sensitive specialties (psychology, oncology), video surveillance
Medium clinic (11-30 professionals, 1-3 sites) €3,500 – €7,000 / year Multiple sites, insurance company integration, cloud EHR
Clinic group (more than 3 sites or 30+ professionals) €7,000 – €15,000 / year Annual audits, recurring DPIAs, complex incident management

Note: these ranges are indicative of the Spanish market in 2026. The final price depends on the scope agreed with the chosen provider. Some providers charge for additional hours outside the base contract; others include all incidents in the flat fee. Always compare what is included.

Factors that affect the price of an external DPO

The DPO appointment process: concrete steps

Appointing an external DPO is not simply a matter of signing a contract. The process has concrete steps with legal effects:

  1. Selection and accreditation of the DPO. Verify that the candidate has specialist knowledge in data protection law and practice, with demonstrable experience in the healthcare sector. The GDPR does not require official certification, but the AEPD views accredited training positively.
  2. Service contract. It must include the DPO's functions, a confidentiality commitment, functional independence, access to the necessary information and the point of contact for the AEPD.
  3. Notification to the AEPD. Article 37.7 of the GDPR requires the DPO's contact details to be published and communicated to the supervisory authority. In Spain, this is done through the AEPD's Electronic Office. Failure to register is itself an infringement.
  4. Publication of contact details. These must appear in the centre's privacy policy and be available to patients.
  5. Integration into internal processes. The DPO must be integrated into incident protocols, the review of new processing activities, and contracts with technology providers.

Real AEPD fines against clinics for non-compliance

The AEPD has systematically sanctioned healthcare centres in recent years. Some representative examples from the AEPD resolution search engine:

The pattern is clear: the AEPD does not only sanction actual breaches, but also formal non-compliance such as the absence of a registered DPO or the lack of contracts with processors. Addressing those formal shortcomings with an external DPO service specialised in the healthcare sector is the most direct way to eliminate that risk.

External DPO and ENS: when obligations overlap

Clinics that work with the public health system — through agreements with regional authorities or service contracts with the National Health System (SNS) — may also be subject to the National Security Framework (ENS), which requires additional technical and organisational measures for information systems. In that case, the external DPO and the ENS security officer must coordinate, although they are distinct roles with different obligations.

Frequently asked questions

Does a single-doctor clinic need a DPO?

It depends on the volume and nature of the processing. Recital 97 of the GDPR acknowledges that individual doctors or other health professionals may be exempt from the obligation to appoint a DPO if data processing is not carried out «on a large scale». However, the AEPD has clarified in its DPO guide that even in small practices, the digital medical records of hundreds of patients may be considered large-scale processing in the healthcare context. The practical recommendation: carry out a documented risk analysis. If the conclusion is that it is not mandatory, that conclusion should be recorded in writing.

Can the clinic's own head doctor act as DPO?

The GDPR does not expressly prohibit it, but it raises serious independence problems. Article 38.6 states that the DPO may perform other tasks and duties, provided that they do not give rise to a conflict of interests. A head doctor who takes decisions about data processing activities — how medical records are managed, which systems are contracted, how information is shared with insurance companies — has a structural conflict of interests when it comes to overseeing themselves. The AEPD has questioned this arrangement in several proceedings.

How long does it take for an external DPO to become operational?

Once the contract is signed and the DPO's details are communicated to the AEPD, the role is formally operational immediately. The time needed for the external DPO to become thoroughly familiar with the clinic's processing activities and be in a position to handle incidents with full assurance is usually 4 to 8 weeks, during which an initial diagnosis is carried out, the RPA is updated and contracts with processors are reviewed.

What is the difference between GDPR compliance and the DPO service?

They are two different things that usually go together. GDPR compliance is the initial project: inventorying processing activities, drafting the RPA, preparing information clauses, reviewing or creating contracts with processors, implementing technical and organisational security measures, and registering the DPO. It is a consulting project with a start and an end. The external DPO service is the recurring maintenance: monitoring that compliance is maintained, advising on new processing activities, managing incidents, updating the RPA when processes change. For clinics starting from scratch, both projects are necessary: first compliance, then ongoing DPO maintenance.