Every time a dental clinic opens a clinical record, digitises an X-ray or sends an appointment reminder via WhatsApp, it is processing special-category data within the meaning of Article 9 of the General Data Protection Regulation (GDPR, Regulation EU 2016/679). This is not a minor detail: health data enjoys the highest level of protection provided by European law, and incorrect processing can lead to sanctions in Spain ranging from €10,000 to €20 million, or 4% of total annual worldwide turnover, whichever is higher.
The Spanish Data Protection Agency (AEPD) has sanctioned dental clinics, health centres and hospitals for data breaches, unauthorised access to clinical records and the absence of adequate technical measures. The healthcare sector is, alongside the financial and telecommunications sectors, one of those that concentrates the highest number of sanctioning decisions. The question is not whether your clinic needs to comply with the GDPR, but when and how to start.
In this article you will find the complete answer: what the regulation requires, when appointing a Data Protection Officer (DPO) is mandatory, what functions the DPO has, how to outsource the role to an external DPO, and the specific steps a dental clinic must take in 2025–2026 to be compliant.
Why dental clinics are a priority target for the AEPD
Dental clinics hold, in a single database, extremely sensitive information: dental diagnoses, panoramic and periapical X-rays, budgets linked to the patient's health status, treatments carried out, prescribed medication and, in many cases, personal and billing data. All of this under one organisation, often managed with minimal IT resources.
Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) reinforces the GDPR in the Spanish context and, in its Article 9, expressly designates health centres and health professionals as entities required to comply with the enhanced requirements for the processing of health data. Additionally, Law 41/2002 on Patient Autonomy sets out patients' rights over their clinical records, which overlap with the data subject rights under the GDPR (access, rectification, erasure, portability).
The high-risk profile that the AEPD assigns to these entities stems from several concurrent factors:
- High volume of health data processing, even when the clinic has few employees.
- Use of dental management software (Gesden, Dentalink, Clinic Cloud, etc.) that may be poorly configured in terms of user permissions or backup procedures.
- Communication with patients via insecure channels (the professional's personal WhatsApp, unencrypted email).
- Transfer of data to laboratories, dental insurers or payment instalment companies without up-to-date data processing agreements.
- Absence of a Record of Processing Activities (RoPA) and documented risk analysis.
When is it mandatory to appoint a DPO at a dental clinic?
Article 37 of the GDPR establishes three scenarios in which appointing a Data Protection Officer is mandatory. Two of them apply directly to dental clinics:
- Large-scale processing of health data (Art. 37.1.c GDPR). The Article 29 Working Party—now the European Data Protection Board (EDPB)—clarified in the Guidelines on Data Protection Officers (WP243rev01) that «large scale» is not measured solely by the absolute number of patients, but also by the nature of the processing, its geographical scope and its duration. A clinic with several chairs, multiple locations or managing the active clinical records of thousands of patients falls within this threshold.
- Core activity requiring large-scale, systematic monitoring of data subjects (Art. 37.1.b GDPR). In the case of a clinic providing implantology, orthodontics or periodontology, the continuous monitoring of the patient's dental condition over months or years may fall within this scenario.
Additionally, the AEPD's 2019 Binding Opinion on the healthcare sector clarified that health centres and clinics that process health data on a routine basis—even with few employees—must assess whether they are under this obligation. The AEPD generally recommends that any healthcare entity appoint a DPO, even when it is not strictly required, given the intrinsic risk of the processing involved.
In practice, if your clinic has more than one professional, processes clinical records on a continuous basis or uses clinical management software connected to the cloud or shared with dental insurers, you are under this obligation or on its threshold. Appointing a DPO is not a discretionary expense: it is a legal requirement whose non-compliance can itself be sanctioned.
Functions of the DPO at a dental clinic
The DPO is not a lawyer who drafts clauses and disappears. Article 39 of the GDPR assigns specific and ongoing functions that must be exercised with genuine independence from the clinic's management:
- Informing and advising the controller (the clinic owner) and processors on their obligations under the GDPR and the LOPDGDD.
- Monitoring compliance with both regulations, internal data protection policies and established procedures, including the allocation of responsibilities and staff training.
- Advising on the Data Protection Impact Assessment (DPIA) where required and monitoring its implementation.
- Cooperating with the AEPD and acting as a point of contact for supervisory authorities.
- Handling patient queries about the exercise of their rights (access, rectification, erasure, objection, portability, restriction of processing).
- Managing or coordinating the response to security breaches: the GDPR requires notification to the AEPD within a maximum of 72 hours of becoming aware of a breach (Art. 33 GDPR).
In the specific context of a dental clinic, the DPO must also verify that data processing agreements with dental laboratories, insurers, financing companies and software providers comply with Article 28 of the GDPR, and that international data transfers—if the software is hosted on a server outside the EU—include the appropriate safeguards provided in Chapter V of the GDPR.
Internal DPO vs. external DPO: comparative table for dental clinics
| Criterion | Internal DPO | External DPO |
|---|---|---|
| Cost | High employment cost (salary + social security contributions); in Spain, a junior profile ranges from €35,000–50,000 gross/year | Monthly service fee; significantly lower for clinics with a single location |
| Availability | Full dedication if exclusive; conflict if other duties are accumulated | Availability agreed contractually; fast response to incidents |
| Independence | Real risk of conflict of interest if hierarchically reporting to the medical director | Structural independence guaranteed; the GDPR requires the DPO not to receive instructions regarding their functions |
| Sector knowledge | Depends on the profile hired; may require specific training in healthcare law | A specialist external DPO brings accumulated experience from multiple clinics and sector-specific AEPD criteria |
| Continuity | Risk of vacancy due to sick leave, turnover or dismissal | The provider guarantees continuous service coverage |
| Registration obligation with the AEPD | Yes, must be communicated to the AEPD (contact details published) | Yes, equally; the provider manages the registration process |
| Suitability for small and medium clinics | Rarely justifiable: volume does not offset the cost | Standard solution recommended by the AEPD for healthcare SMEs |
Article 37.6 of the GDPR expressly permits the DPO to be external to the organisation, on the basis of a service contract. The AEPD has confirmed this possibility in multiple decisions. For a dental clinic with 3 to 15 professionals, the external DPO is, in the vast majority of cases, the most efficient option and the one that best guarantees the independence the regulation requires.
If you would like to know in detail how this model works, the Summum Consultoría team has been supporting organisations in regulatory compliance since 2007: you can consult the external DPO service for details on scope, phases and working methodology.
Concrete use cases: what a DPO reviews at a dental clinic
1. Patient consent and the legal basis for processing
Not all data processing at a dental clinic is based on consent. Article 9.2 of the GDPR provides other legitimate bases for health data: the necessity for the provision of healthcare (letter h), compliance with legal obligations (Art. 6.1.c) or the vital interests of the data subject (letter d of Art. 6, or letter c of Art. 9.2). The DPO audits which legal basis underpins each processing activity and identifies the frequent errors that lead to requesting consent when the actual basis is the medical services contract or Law 41/2002.
2. Clinical management software and data processors
If the clinic uses SaaS software hosted in the cloud (Clinic Cloud, Gesden Online, Dentsply Sirona Connect…), the provider has technical access to clinical data. A data processing agreement compliant with Article 28 of the GDPR must exist, specifying the purpose, duration, nature of the processing and security measures. The DPO reviews and updates these agreements, which in many clinics either do not exist or are outdated generic forms.
3. Communications with laboratories and dental insurers
Each time the clinic sends a patient's data—diagnosis, measurements, job code—to an external dental laboratory, there is a transfer of health data. The same applies when a quote or report is sent to a dental insurer (Adeslas, Asisa, DKV, etc.). The DPO verifies that the patient is properly informed of these communications in the service contract and in the information clause under Article 13 of the GDPR.
4. WhatsApp channel with patients
Using WhatsApp Business—and, worse, the dentist's personal WhatsApp—to send appointment reminders, quotes or results is one of the most frequent non-compliances detected by the AEPD. WhatsApp (Meta Platforms Ireland) processes the metadata of communications and does not offer the guarantees of Article 28 of the GDPR for healthcare processing. The DPO recommends compliant alternatives: SMS via providers with a signed DPA, email with a privacy notice, or the communication module of the clinical management software itself.
5. Security breach management
Ransomware encrypting the server holding the X-rays, a dental assistant's laptop lost with unencrypted access to clinical software, an email with several patients' records sent to the wrong address: all three are personal data breaches that must be notified to the AEPD within 72 hours (Art. 33 GDPR) and, if they entail a high risk, also to the affected patients without undue delay (Art. 34 GDPR). The DPO prepares the internal breach management procedure and drafts the notification when an incident occurs.
6. Retention and erasure of clinical records
Law 41/2002 sets a minimum retention period for clinical records of 5 years from the discharge date, although some autonomous communities extend this period (for example, in the Basque Country the minimum period is 10 years). Once the legal period has elapsed, the storage limitation principle in Article 5.1.e of the GDPR requires the erasure or anonymisation of the data. The DPO defines the retention policy and organises periodic purges in the management software.
Documentary obligations that the DPO must keep up to date
Beyond advisory functions, the DPO is the engine of the clinic's data protection documentation system. The essential documents that must be kept current are:
- Record of Processing Activities (RoPA): mandatory for organisations with more than 250 employees (Art. 30.5 GDPR), but recommended for any clinic given that it processes high-risk data. It must include, at minimum, the purposes of processing, the categories of data subjects and data, recipients, erasure schedules and security measures.
- Information clauses (Arts. 13 and 14 GDPR): the «basic data protection information» document that the patient receives and signs at the first visit.
- Data processing agreements with all third parties that access clinic data.
- Risk analysis: documented assessment of the risks associated with each processing activity.
- Data Protection Impact Assessment (DPIA): mandatory when the processing «is likely to result in a high risk» (Art. 35 GDPR). The List of processing operations requiring a DPIA published by the AEPD in 2019 includes large-scale processing of health data, profiling of patients and the use of new diagnostic technologies.
- Security policy and breach protocols: step-by-step procedure for detecting, containing, analysing, notifying and documenting security incidents.
- Record of rights requests: log of access, rectification, erasure or objection requests received and the response time (maximum 1 month, extendable by 2 months in complex cases, Art. 12.3 GDPR).
Real AEPD sanctions in the dental and healthcare sector
The AEPD's sanctioning decisions are public and available on its electronic headquarters. Below are representative examples from the healthcare sector that illustrate real risks:
- Decision PS/00381/2022: €30,000 fine against a dental clinic for sending a patient's clinical documentation to third parties without a legal basis, violating Article 5.1.f (confidentiality) and Article 9 (health data) of the GDPR.
- Decision PS/00113/2023: €15,000 fine against a medical practice for failing to respond within the deadline to a request for access to a clinical record, in breach of Article 12 of the GDPR.
- Multiple decisions 2021–2024 against healthcare centres for the absence of a data processing agreement with the clinical software provider, with fines ranging from €5,000 to €50,000.
The AEPD has been implementing its Strategic Plan 2024–2027 since 2023, which prioritises the healthcare sector as a primary area of supervision. Ex officio inspections—initiated by the Agency itself without a complaint—are increasingly common at clinics and health centres.
To complete compliance in the healthcare sector, the Summum Consultoría team also offers the external DPO service for healthcare centres, covering everything from the initial diagnosis to the ongoing maintenance of the system.
How to implement GDPR compliance at a dental clinic: a roadmap
The process is not complicated if approached in an orderly manner. These are the typical phases of a compliance project for a dental clinic:
- Initial audit (diagnosis): inventory of all existing data processing activities, identification of compliance gaps, assessment of software and agreements with third parties. Estimated duration: 2–4 weeks.
- Development of the documentation system: drafting of the RoPA, information clauses, processing agreements and security policy. The DPO leads this phase with the participation of the clinic's responsible person.
- Staff training: dental assistants, receptionists, hygienists and dentists must know the basic protocols: how to respond to a patient exercising their rights, what to do in the event of a breach, which channels to use to communicate with patients.
- Implementation of technical measures: encryption of portable devices, configuration of permissions in the software, activation of verified backups, password review. This phase is coordinated with the clinic's IT provider (Systems area if working with the Summum group).
- Appointment and registration of the DPO: formal communication to the AEPD of the DPO's contact details (mandatory when the appointment is required by the regulation).
- Ongoing maintenance: annual review of the system, updating of agreements and documentation following changes in software or providers, management of rights requests and incidents.
Frequently asked questions
Is a sole-practitioner dental clinic required to appoint a DPO?
It depends on the volume and nature of the processing. A sole-practitioner clinic with a small number of active patients and no large-scale, systematic processing may not be strictly required to appoint a DPO under Article 37 of the GDPR. However, the AEPD recommends that any healthcare entity appoint a DPO given the high-risk nature of the data processed. Moreover, GDPR obligations that do not depend on the DPO—RoPA, information clauses, processing agreements—apply equally. Having an external DPO in a basic advisory capacity is, in any case, the safest way to manage the risk.
Can the clinic owner themselves act as DPO?
This is not recommended and, in many cases, is not compliant with the GDPR. Article 38.3 of the GDPR requires that the DPO not receive instructions when performing their tasks and not be dismissed or penalised for performing them. A dentist who is simultaneously responsible for decisions on data processing and acting as DPO has a structural conflict of interest. The AEPD has expressly noted this incompatibility in its DPO guidance. The correct solution is to appoint an independent external professional.
How long does the clinic have to respond if a patient requests access to their clinical record?
Article 12.3 of the GDPR sets a maximum period of one month from receipt of the request, extendable by a further two months in complex cases, provided that the extension is communicated to the data subject within the first month. In parallel, Law 41/2002 establishes the patient's right to access their clinical record, reinforcing the obligation. If the clinic does not respond within the deadline, the patient may lodge a complaint with the AEPD and the Agency may initiate sanctioning proceedings.
What happens if there is a security breach, for example a ransomware attack?
Article 33 of the GDPR requires the breach to be notified to the AEPD within a maximum of 72 hours of the clinic becoming aware of it, unless it is unlikely that the breach poses a risk to the rights and freedoms of patients. If the risk is high—for example, if clinical records are exposed or encrypted without possibility of recovery—patients must also be informed without undue delay (Art. 34 GDPR). The DPO coordinates the entire process: notification to the AEPD, communication to patients where required, and documentation of the incident in the internal breach register.