If you manage a private medical clinic — whether general medicine, physiotherapy, dentistry, psychology, ophthalmology or any other specialty — you are most likely required to appoint a Data Protection Officer (DPO) and have them duly registered with the Spanish Data Protection Agency (AEPD). The GDPR leaves no room for interpretation when it comes to health data: it is classified as a special category, and that triggers specific obligations that go beyond basic compliance.
This article explains exactly when a DPO is mandatory for a clinic, what functions they must fulfil, why the external figure is the most common option for healthcare SMEs, and what the real market price ranges are in Spain in 2026. You will not find Summum's rates here: the figures we publish are market references based on sector sources.
What the regulations say: GDPR and LOPDGDD
Article 37.1 of Regulation (EU) 2016/679 (GDPR) establishes three scenarios that require the appointment of a DPO. The one that directly affects the healthcare sector is point c: when the controller or processor carries out large-scale processing of special categories of data referred to in Article 9. Health data is, by definition, a special category.
Organic Law 3/2018 (LOPDGDD), in its Article 34, extends the scenarios at national level and expressly mentions healthcare centres that process patient data. The AEPD has also published a guide on the DPO clarifying that the «large-scale» criterion must be interpreted in light of the number of people affected, the volume of data, the duration of the processing and the geographical scope — but that in the healthcare context, the mere existence of an active patient clinical record database may already be sufficient.
In practice, any clinic with active patient clinical records — even if it has only one doctor — must assess whether the obligation applies. Clinics with several professionals, multiple specialties or more than one site almost certainly fall under it.
When is a DPO mandatory for a private clinic: table of scenarios
| Type of centre | DPO mandatory? | Legal basis |
|---|---|---|
| Clinic with electronic medical records and more than 200 active patients | Yes, with high probability | GDPR art. 37.1.c + LOPDGDD art. 34 |
| Psychology or psychiatry practice (additional sensitive data) | Yes | GDPR art. 37.1.c and art. 9 |
| Physiotherapy centre with a chronic patient base | Yes, in virtually all cases | GDPR art. 37.1.c |
| Dental clinic with an external prosthetics laboratory | Yes (large-scale processing + data processor) | GDPR art. 37.1.c |
| Self-employed registered doctor, no staff, no digitised records | Likely exception, case-by-case analysis | Recital 97 GDPR |
| Clinic with insurance company agreements (Sanitas, Adeslas, Asisa…) | Yes (data flow to third parties) | GDPR arts. 26, 37 and 28 |
The AEPD has systematically fined private clinics precisely for failing to appoint a DPO when the obligation existed. The amount of fines for infringement of Article 37 falls within the tier of serious infringements under Article 83.4 of the GDPR: up to 10 million euros or 2% of total annual worldwide turnover, although the proportionality criterion reduces that ceiling for SMEs.
Functions of the DPO in a medical clinic
The DPO is not simply a person who signs documents. Their functions are set out in Article 39 of the GDPR and are enforceable regardless of whether the role is performed internally or externally:
- Inform and advise the centre and its staff on their obligations under the GDPR and LOPDGDD.
- Monitor compliance: verify that data processing activities (medical records, video surveillance, data concerning minors, etc.) are carried out in accordance with the legal framework.
- Advise on Data Protection Impact Assessments (DPIAs), mandatory when processing health data at large scale or using technologies such as telemedicine.
- Cooperate with the AEPD and act as the point of contact in the event of a complaint or investigation.
- Manage security breaches: in the healthcare sector, the leakage of a medical record must be notified to the AEPD within 72 hours.
In a private clinic environment, the external DPO also typically handles staff training (doctors, administrative staff, cleaning personnel with access to data areas), keeps the Record of Processing Activities (RPA) up to date — a mandatory document under Article 30 of the GDPR — and reviews contracts with processors such as laboratories, clinical management software providers or insurance companies.
Internal DPO vs. external DPO: why private clinics almost always choose the external option
The GDPR allows both internal and external appointment. However, in healthcare SMEs the balance consistently tips towards the external DPO for several reasons:
- Guaranteed independence. Article 38.3 of the GDPR prohibits the DPO from receiving instructions in the performance of their tasks. An employee of the centre who simultaneously reports to the medical director can hardly exercise that independence. The external DPO has it structurally.
- Specialist knowledge without training costs. Hiring and training an internal DPO to the level required by the AEPD (healthcare regulations + GDPR + LOPDGDD + NIS2 in some cases) takes time and money that most private clinics do not have.
- Availability during incidents. An external DPO with a portfolio of healthcare clients is available to manage a security breach within the 72-hour window set by the GDPR; an internal DPO on holiday or on sick leave is not.
- Service continuity. If the internal DPO leaves, the clinic falls into immediate non-compliance. With an external provider, the contract guarantees continuity.
If you want to explore how this service is structured for the healthcare sector, you can visit the healthcare GDPR page at Summum Consultoría, which details the specific processing activities in the clinical environment and the security measures required by Spanish regulations.
How much does an external DPO cost for a clinic in Spain in 2026
Market prices in Spain for the external DPO service in the healthcare sector vary depending on several factors. Below is a table of indicative ranges based on market supply (source: sector analysis by data protection specialist consultancies, 2025-2026):
| Clinic profile | Approximate annual price range | Factors that increase the price |
|---|---|---|
| Solo or duo practice (1-2 professionals, 1 site) | €800 – €1,800 / year | Telemedicine, minors, third-party cloud software |
| Small clinic (3-10 professionals, 1 site) | €1,800 – €3,500 / year | Sensitive specialties (psychology, oncology), video surveillance |
| Medium clinic (11-30 professionals, 1-3 sites) | €3,500 – €7,000 / year | Multiple sites, insurance company integration, cloud EHR |
| Clinic group (more than 3 sites or 30+ professionals) | €7,000 – €15,000 / year | Annual audits, recurring DPIAs, complex incident management |
Note: these ranges are indicative of the Spanish market in 2026. The final price depends on the scope agreed with the chosen provider. Some providers charge for additional hours outside the base contract; others include all incidents in the flat fee. Always compare what is included.
Factors that affect the price of an external DPO
- Number of sites and locations. Each site requires a separate RPA, possible additional DPIAs and in-person visits or meetings.
- Patient volume and number of processing activities. The larger the patient base, the greater the risk surface and the more supervision hours required.
- Technologies used. Telemedicine, cloud-based electronic health records (SaaS), video surveillance with recording, patient monitoring mobile apps or integration with connected medical devices all require specific analyses and their own DPIAs.
- Medical specialties. Psychology, psychiatry, assisted reproduction or oncology generate particularly sensitive data requiring additional layers of legal analysis.
- Starting point. A clinic starting from scratch requires an initial compliance project (an additional €1,500 to €5,000 according to market rates) before entering the recurring DPO maintenance phase.
- Insurance company agreements. Acting as a processor for one or more insurance companies multiplies the number of processing contracts that need to be managed and reviewed.
The DPO appointment process: concrete steps
Appointing an external DPO is not simply a matter of signing a contract. The process has concrete steps with legal effects:
- Selection and accreditation of the DPO. Verify that the candidate has specialist knowledge in data protection law and practice, with demonstrable experience in the healthcare sector. The GDPR does not require official certification, but the AEPD views accredited training positively.
- Service contract. It must include the DPO's functions, a confidentiality commitment, functional independence, access to the necessary information and the point of contact for the AEPD.
- Notification to the AEPD. Article 37.7 of the GDPR requires the DPO's contact details to be published and communicated to the supervisory authority. In Spain, this is done through the AEPD's Electronic Office. Failure to register is itself an infringement.
- Publication of contact details. These must appear in the centre's privacy policy and be available to patients.
- Integration into internal processes. The DPO must be integrated into incident protocols, the review of new processing activities, and contracts with technology providers.
Real AEPD fines against clinics for non-compliance
The AEPD has systematically sanctioned healthcare centres in recent years. Some representative examples from the AEPD resolution search engine:
- Fines of between €3,000 and €30,000 to private clinics for lack of an RPA, absence of a DPO or breaches of clinical record confidentiality.
- Sanctions for sharing patient data with insurance companies without a formalised processing contract.
- Enforcement proceedings for failing to notify a security breach (unauthorised access to a medical record) within the 72-hour deadline.
The pattern is clear: the AEPD does not only sanction actual breaches, but also formal non-compliance such as the absence of a registered DPO or the lack of contracts with processors. Addressing those formal shortcomings with an external DPO service specialised in the healthcare sector is the most direct way to eliminate that risk.
External DPO and ENS: when obligations overlap
Clinics that work with the public health system — through agreements with regional authorities or service contracts with the National Health System (SNS) — may also be subject to the National Security Framework (ENS), which requires additional technical and organisational measures for information systems. In that case, the external DPO and the ENS security officer must coordinate, although they are distinct roles with different obligations.
Frequently asked questions
Does a single-doctor clinic need a DPO?
It depends on the volume and nature of the processing. Recital 97 of the GDPR acknowledges that individual doctors or other health professionals may be exempt from the obligation to appoint a DPO if data processing is not carried out «on a large scale». However, the AEPD has clarified in its DPO guide that even in small practices, the digital medical records of hundreds of patients may be considered large-scale processing in the healthcare context. The practical recommendation: carry out a documented risk analysis. If the conclusion is that it is not mandatory, that conclusion should be recorded in writing.
Can the clinic's own head doctor act as DPO?
The GDPR does not expressly prohibit it, but it raises serious independence problems. Article 38.6 states that the DPO may perform other tasks and duties, provided that they do not give rise to a conflict of interests. A head doctor who takes decisions about data processing activities — how medical records are managed, which systems are contracted, how information is shared with insurance companies — has a structural conflict of interests when it comes to overseeing themselves. The AEPD has questioned this arrangement in several proceedings.
How long does it take for an external DPO to become operational?
Once the contract is signed and the DPO's details are communicated to the AEPD, the role is formally operational immediately. The time needed for the external DPO to become thoroughly familiar with the clinic's processing activities and be in a position to handle incidents with full assurance is usually 4 to 8 weeks, during which an initial diagnosis is carried out, the RPA is updated and contracts with processors are reviewed.
What is the difference between GDPR compliance and the DPO service?
They are two different things that usually go together. GDPR compliance is the initial project: inventorying processing activities, drafting the RPA, preparing information clauses, reviewing or creating contracts with processors, implementing technical and organisational security measures, and registering the DPO. It is a consulting project with a start and an end. The external DPO service is the recurring maintenance: monitoring that compliance is maintained, advising on new processing activities, managing incidents, updating the RPA when processes change. For clinics starting from scratch, both projects are necessary: first compliance, then ongoing DPO maintenance.