If you run a clinic, a health centre, a dental practice, a psychology practice or any private medical practice, the data you handle every day — clinical records, diagnoses, imaging results, medication — are, in legal terms, special category data. The General Data Protection Regulation (GDPR) defines them in Article 9 as deserving the highest possible level of protection, and Spanish legislation reinforces this with Organic Law 3/2018 (LOPDGDD) and Law 41/2002 on patient autonomy. The practical result: the healthcare sector is, along with the financial sector, the one that accumulates the highest penalties from the Spanish Data Protection Agency (AEPD). Knowing the rules is not optional; it is a condition for professional practice.
What is health data and why does it deserve reinforced protection?
The GDPR defines health-related data as all personal information that reveals the past, present or future physical or mental state of a person. This definition is intentionally broad. It is not limited to a medical diagnosis: it includes a mere appointment with a specialist (which already hints at a health condition), data from wearables and wellness applications, laboratory results or a pharmacological history.
The rationale for reinforced protection is twofold. On one hand, the special social sensitivity: knowing someone's health status can affect their employment, life insurance or relationships. On the other, the inherent imbalance between the healthcare professional and the patient, who is in a vulnerable position when visiting a practice. The regulation intends that this context of trust also translates into solid legal guarantees.
Regulatory framework applicable to clinics in Spain (2025-2026)
Private clinics in Spain are not governed by a single regulation, but by a layered regulatory framework that must be understood as a whole:
| Regulation | Scope | Key aspect for clinics |
|---|---|---|
| GDPR (EU) 2016/679 | Entire EU | General framework; prohibits processing of health data except in strictly defined exceptions (Art. 9.2) |
| LOPDGDD (LO 3/2018) | Spain | Develops the GDPR; defines mandatory DPO for healthcare centres; extends data subject rights |
| Law 41/2002 | Spain | Clinical record, informed consent, patient access to their data |
| Law 14/1986 General Health Act | Spain | Obligation of professional secrecy and confidentiality |
| AEPD Resolutions | Spain | Interpretative criteria and sanctioning doctrine (published on the AEPD website) |
| ENS (RD 311/2022) — if applicable | Spain | Applicable if the clinic provides services to public administrations or connects with the NHS |
The key point is that the GDPR does not replace Law 41/2002 with regard to the clinical record: both coexist and complement each other. A patient may exercise their GDPR right of access and simultaneously invoke their right of access to the clinical record. The centre must manage both channels.
The six legal bases under Article 9.2 most used by clinics
Article 9.1 of the GDPR prohibits processing health data. Article 9.2 sets out exhaustive exceptions. Private clinics typically rely on the following:
- a) Explicit consent of the patient: the most direct route. It requires consent to be free, specific, informed and unambiguous. Generic consent buried in small print is not sufficient.
- h) Healthcare and medical treatment: the main legal basis for ordinary clinical treatment. It allows data to be processed without requesting repeated consent each time, provided a care relationship exists and processing is carried out by staff bound by professional secrecy.
- i) Public interest in the area of public health: relevant to clinics that collaborate with public health programmes, epidemiological surveillance or communicable disease control.
- j) Scientific or statistical research purposes: applicable to clinical trials and retrospective studies, always with the additional safeguards required (anonymisation, ethics committees, etc.).
A common mistake in private clinics is to request consent as the legal basis for the primary healthcare treatment, when the correct basis is letter h). This has consequences: if the patient «withdraws» that incorrectly framed consent, the clinic could find itself in the absurd position of being unable to continue providing care. Consent should be reserved for ancillary processing: use of images for educational purposes, sending newsletters, participation in studies.
Clinical records and data protection: the most common friction points
The clinical record is the core of data processing in a clinic. Law 41/2002 states that it must be kept for at least five years from the discharge date of each care episode, although the autonomous communities may extend that period (and many do, up to ten or fifteen years). Some clinics, misapplying the GDPR minimisation principle, destroy records before the legal retention periods expire: this is a mistake that can lead to civil and disciplinary liability, as well as infringing patient autonomy legislation.
The most common friction points we encounter in the GDPR compliance projects for the healthcare sector we support at Summum Consultoria are:
- Unrestricted access to the clinical management software by all staff, without differentiated user profiles by role.
- Sending data through unencrypted channels: X-rays or reports via WhatsApp, results by unencrypted email.
- Informed consent forms that mix healthcare aspects (Law 41/2002) with data protection aspects (GDPR) without clearly distinguishing between the two.
- Clinical software providers without a signed data processing agreement, or with 2018-era contracts that do not cover sub-processor arrangements.
- Absence of a Record of Processing Activities (RoPA), mandatory under Article 30 of the GDPR for virtually any organisation processing special category data.
- CCTV cameras in waiting rooms without the required signage or proper handling of the footage.
The Data Protection Officer (DPO) in clinics: when is it mandatory?
Article 37 of the GDPR states that the designation of a Data Protection Officer (DPO) is mandatory when the large-scale processing of special categories of data constitutes the core activity of the controller. The question is whether a medium-sized private clinic — say, a dental practice with four chairs or a physiotherapy practice with three professionals — falls into that category.
The AEPD, in its guide on the DPO, states that processing health data of patients as the core activity of the controller (i.e., where without that processing the activity does not exist) implies a DPO obligation, even for small organisations. The LOPDGDD, in Article 34, specifies and extends this list for Spain: healthcare centres are expressly mentioned.
What many clinics do not know is that the DPO can be external. It is not necessary to hire a full-time employee; it can be a specialist professional or company providing the DPO service on an outsourced basis, provided the independence and qualification requirements of Article 38 GDPR are met. This is the most common arrangement for small to medium-sized private clinics in Spain.
Notifying data breaches within 72 hours
Article 33 of the GDPR states that, when a personal data security breach occurs, the data controller must notify the AEPD within a maximum of 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of the individuals concerned.
In the healthcare sector, virtually any breach affecting clinical record data exceeds that risk threshold, so notification is almost always mandatory. Additionally, if the breach is likely to result in a high risk to those affected (for example, a large-scale disclosure of diagnoses or HIV-related data), the controller must also communicate this directly to the patients concerned.
The notification process to the AEPD is carried out through the BREACH MANAGER tool available on the AEPD's electronic headquarters. The initial 72-hour notification does not require all information to be available; Article 33.4 provides that it may be completed in phases. What is not acceptable is failing to notify because «we still do not know exactly what happened».
Fines: what the AEPD has sanctioned in the healthcare sector
The GDPR provides for fines of up to 20 million euros or 4% of total annual global turnover (whichever is higher). In practice, fines imposed on private clinics in Spain have been in more modest ranges but still financially significant for medium-sized organisations:
- Unauthorised access to clinical records by staff without authorisation: recurring fines in the range of 50,000 to 150,000 euros.
- Inadequate technical security measures (unpatched software, weak passwords, no encryption): fines of 20,000 to 60,000 euros.
- Transfer of data to third parties without a legal basis (insurers, marketing companies) without explicit consent: some fines have exceeded 200,000 euros.
- Failure to fulfil the duty to inform at the point of data collection (missing GDPR clause or defective clause): frequent fines of 5,000 to 30,000 euros.
Beyond the financial penalty, AEPD resolutions are public and appear in its resolutions search engine. The reputational damage for a clinic that appears in that search engine can far exceed the amount of the fine itself.
The data processor: the link most often overlooked
Every clinic works with external providers that access patient data: the provider of the clinical management software (HIS, EMR), the external radiology or laboratory company, the accounting firm handling billing, the IT maintenance company with remote server access. Each of them is, in GDPR terms, a data processor.
Article 28 of the GDPR requires that the relationship with each processor be formalised through a data processing agreement (DPA) that specifies, among other things: the subject matter and duration of the processing, its nature and purpose, the type of data and the categories of data subjects, and the obligations and rights of the controller. In the absence of this agreement, both the controller and the processor commit an infringement.
The common practice — tolerating providers imposing their own terms without review — leaves the clinic in a position of risk. At Summum Consultoria we review and negotiate these contracts as part of the healthcare GDPR compliance process, because the standard clauses of major clinical software providers do not always meet all European GDPR requirements.
Basic compliance checklist for a private clinic
Without claiming to be exhaustive — each clinic has its own specific circumstances — these are the minimum elements that any private healthcare centre must have in order:
- Updated and documented Record of Processing Activities (RoPA).
- GDPR information clauses integrated into data collection forms (admission, appointment, etc.).
- Privacy policy published on the website and on the physical premises.
- DPO designated (internal or external) and notified to the AEPD.
- Data processing agreements signed with all relevant providers.
- Risk analysis carried out and, if required by the processing, a Data Protection Impact Assessment (DPIA) documented.
- Internal data breach management procedure (who notifies, within what timeframe, how).
- Procedure for handling ARCO+ rights (access, rectification, erasure, objection, restriction, portability).
- Annual staff training on data protection and confidentiality.
- Technical controls: access profiles, encryption of mobile devices, backups, security patches.
Frequently asked questions
Does a three-dentist practice need a DPO?
Yes, in all likelihood. The LOPDGDD, in Article 34, expressly states that healthcare centres are required to designate a DPO, without setting a minimum size threshold. The AEPD has confirmed this interpretation in several resolutions and in its practical guide on the DPO. The DPO can be external, which considerably reduces the cost for small clinics.
Can I send clinical results by WhatsApp if the patient asks me to?
With caution. The fact that the patient requests it does not exempt the data controller from ensuring an adequate level of security. WhatsApp uses end-to-end encryption, which offers some protection, but messages remain stored on the professional's and patient's phones without control over backups, third-party access or device loss. The AEPD's recommendation is to use channels designed for the healthcare environment (patient portals, secure messaging). If WhatsApp is used on an exceptional basis, the patient's express request and the risks assumed must be documented.
How long must I retain the clinical record?
Law 41/2002 sets a minimum of five years from the discharge date of each care episode. However, autonomous communities may extend this period through their own legislation: Catalonia, for example, requires fifteen years for the most relevant clinical documentation (under Law 16/2010, amending Law 21/2000), and in other communities the period may vary depending on the speciality. The applicable regional legislation must always be verified. In any case, destroying records before the applicable retention period expires can generate civil liability towards the patient and disciplinary liability for the professional.
What is the difference between healthcare consent and GDPR consent?
They are distinct legal concepts governed by different regulatory frameworks. Healthcare consent (regulated by Law 41/2002) is the consent given by the patient to undergo a medical procedure: it must be informed, free, specific and documented. GDPR consent (Article 7 of the Regulation) is the legal basis that legitimises a specific processing of personal data. For ordinary clinical treatment, the legal basis is usually not GDPR consent, but letter h) of Article 9.2 (healthcare). Mixing both in a single document without distinguishing them is a frequent mistake that creates confusion about exactly what the patient is authorising and may invalidate both types of consent.