Data protection in clinics: GDPR guide for the healthcare sector

·

If you run a clinic, a health centre, a dental practice, a psychology practice or any private medical practice, the data you handle every day — clinical records, diagnoses, imaging results, medication — are, in legal terms, special category data. The General Data Protection Regulation (GDPR) defines them in Article 9 as deserving the highest possible level of protection, and Spanish legislation reinforces this with Organic Law 3/2018 (LOPDGDD) and Law 41/2002 on patient autonomy. The practical result: the healthcare sector is, along with the financial sector, the one that accumulates the highest penalties from the Spanish Data Protection Agency (AEPD). Knowing the rules is not optional; it is a condition for professional practice.

What is health data and why does it deserve reinforced protection?

The GDPR defines health-related data as all personal information that reveals the past, present or future physical or mental state of a person. This definition is intentionally broad. It is not limited to a medical diagnosis: it includes a mere appointment with a specialist (which already hints at a health condition), data from wearables and wellness applications, laboratory results or a pharmacological history.

The rationale for reinforced protection is twofold. On one hand, the special social sensitivity: knowing someone's health status can affect their employment, life insurance or relationships. On the other, the inherent imbalance between the healthcare professional and the patient, who is in a vulnerable position when visiting a practice. The regulation intends that this context of trust also translates into solid legal guarantees.

Regulatory framework applicable to clinics in Spain (2025-2026)

Private clinics in Spain are not governed by a single regulation, but by a layered regulatory framework that must be understood as a whole:

Regulation Scope Key aspect for clinics
GDPR (EU) 2016/679 Entire EU General framework; prohibits processing of health data except in strictly defined exceptions (Art. 9.2)
LOPDGDD (LO 3/2018) Spain Develops the GDPR; defines mandatory DPO for healthcare centres; extends data subject rights
Law 41/2002 Spain Clinical record, informed consent, patient access to their data
Law 14/1986 General Health Act Spain Obligation of professional secrecy and confidentiality
AEPD Resolutions Spain Interpretative criteria and sanctioning doctrine (published on the AEPD website)
ENS (RD 311/2022) — if applicable Spain Applicable if the clinic provides services to public administrations or connects with the NHS

The key point is that the GDPR does not replace Law 41/2002 with regard to the clinical record: both coexist and complement each other. A patient may exercise their GDPR right of access and simultaneously invoke their right of access to the clinical record. The centre must manage both channels.

The six legal bases under Article 9.2 most used by clinics

Article 9.1 of the GDPR prohibits processing health data. Article 9.2 sets out exhaustive exceptions. Private clinics typically rely on the following:

A common mistake in private clinics is to request consent as the legal basis for the primary healthcare treatment, when the correct basis is letter h). This has consequences: if the patient «withdraws» that incorrectly framed consent, the clinic could find itself in the absurd position of being unable to continue providing care. Consent should be reserved for ancillary processing: use of images for educational purposes, sending newsletters, participation in studies.

Clinical records and data protection: the most common friction points

The clinical record is the core of data processing in a clinic. Law 41/2002 states that it must be kept for at least five years from the discharge date of each care episode, although the autonomous communities may extend that period (and many do, up to ten or fifteen years). Some clinics, misapplying the GDPR minimisation principle, destroy records before the legal retention periods expire: this is a mistake that can lead to civil and disciplinary liability, as well as infringing patient autonomy legislation.

The most common friction points we encounter in the GDPR compliance projects for the healthcare sector we support at Summum Consultoria are:

The Data Protection Officer (DPO) in clinics: when is it mandatory?

Article 37 of the GDPR states that the designation of a Data Protection Officer (DPO) is mandatory when the large-scale processing of special categories of data constitutes the core activity of the controller. The question is whether a medium-sized private clinic — say, a dental practice with four chairs or a physiotherapy practice with three professionals — falls into that category.

The AEPD, in its guide on the DPO, states that processing health data of patients as the core activity of the controller (i.e., where without that processing the activity does not exist) implies a DPO obligation, even for small organisations. The LOPDGDD, in Article 34, specifies and extends this list for Spain: healthcare centres are expressly mentioned.

What many clinics do not know is that the DPO can be external. It is not necessary to hire a full-time employee; it can be a specialist professional or company providing the DPO service on an outsourced basis, provided the independence and qualification requirements of Article 38 GDPR are met. This is the most common arrangement for small to medium-sized private clinics in Spain.

Notifying data breaches within 72 hours

Article 33 of the GDPR states that, when a personal data security breach occurs, the data controller must notify the AEPD within a maximum of 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of the individuals concerned.

In the healthcare sector, virtually any breach affecting clinical record data exceeds that risk threshold, so notification is almost always mandatory. Additionally, if the breach is likely to result in a high risk to those affected (for example, a large-scale disclosure of diagnoses or HIV-related data), the controller must also communicate this directly to the patients concerned.

The notification process to the AEPD is carried out through the BREACH MANAGER tool available on the AEPD's electronic headquarters. The initial 72-hour notification does not require all information to be available; Article 33.4 provides that it may be completed in phases. What is not acceptable is failing to notify because «we still do not know exactly what happened».

Fines: what the AEPD has sanctioned in the healthcare sector

The GDPR provides for fines of up to 20 million euros or 4% of total annual global turnover (whichever is higher). In practice, fines imposed on private clinics in Spain have been in more modest ranges but still financially significant for medium-sized organisations:

Beyond the financial penalty, AEPD resolutions are public and appear in its resolutions search engine. The reputational damage for a clinic that appears in that search engine can far exceed the amount of the fine itself.

The data processor: the link most often overlooked

Every clinic works with external providers that access patient data: the provider of the clinical management software (HIS, EMR), the external radiology or laboratory company, the accounting firm handling billing, the IT maintenance company with remote server access. Each of them is, in GDPR terms, a data processor.

Article 28 of the GDPR requires that the relationship with each processor be formalised through a data processing agreement (DPA) that specifies, among other things: the subject matter and duration of the processing, its nature and purpose, the type of data and the categories of data subjects, and the obligations and rights of the controller. In the absence of this agreement, both the controller and the processor commit an infringement.

The common practice — tolerating providers imposing their own terms without review — leaves the clinic in a position of risk. At Summum Consultoria we review and negotiate these contracts as part of the healthcare GDPR compliance process, because the standard clauses of major clinical software providers do not always meet all European GDPR requirements.

Basic compliance checklist for a private clinic

Without claiming to be exhaustive — each clinic has its own specific circumstances — these are the minimum elements that any private healthcare centre must have in order:

Frequently asked questions

Does a three-dentist practice need a DPO?

Yes, in all likelihood. The LOPDGDD, in Article 34, expressly states that healthcare centres are required to designate a DPO, without setting a minimum size threshold. The AEPD has confirmed this interpretation in several resolutions and in its practical guide on the DPO. The DPO can be external, which considerably reduces the cost for small clinics.

Can I send clinical results by WhatsApp if the patient asks me to?

With caution. The fact that the patient requests it does not exempt the data controller from ensuring an adequate level of security. WhatsApp uses end-to-end encryption, which offers some protection, but messages remain stored on the professional's and patient's phones without control over backups, third-party access or device loss. The AEPD's recommendation is to use channels designed for the healthcare environment (patient portals, secure messaging). If WhatsApp is used on an exceptional basis, the patient's express request and the risks assumed must be documented.

How long must I retain the clinical record?

Law 41/2002 sets a minimum of five years from the discharge date of each care episode. However, autonomous communities may extend this period through their own legislation: Catalonia, for example, requires fifteen years for the most relevant clinical documentation (under Law 16/2010, amending Law 21/2000), and in other communities the period may vary depending on the speciality. The applicable regional legislation must always be verified. In any case, destroying records before the applicable retention period expires can generate civil liability towards the patient and disciplinary liability for the professional.

What is the difference between healthcare consent and GDPR consent?

They are distinct legal concepts governed by different regulatory frameworks. Healthcare consent (regulated by Law 41/2002) is the consent given by the patient to undergo a medical procedure: it must be informed, free, specific and documented. GDPR consent (Article 7 of the Regulation) is the legal basis that legitimises a specific processing of personal data. For ordinary clinical treatment, the legal basis is usually not GDPR consent, but letter h) of Article 9.2 (healthcare). Mixing both in a single document without distinguishing them is a frequent mistake that creates confusion about exactly what the patient is authorising and may invalidate both types of consent.