A dental clinic set up as a healthcare facility and legally required to keep clinical records must appoint a data protection officer (DPO). The LOPDGDD (Spain's Organic Law 3/2018 on Data Protection) exempts healthcare professionals who practise individually, but applying that exemption requires examining the clinic's actual structure: staff, corporate form, authorised facility status, shared resources and who effectively controls the data. The DPO can be external, must act independently, and does not take over the clinic's own responsibility.
When Is a DPO Mandatory in Dental Practice
Article 37 of the GDPR requires a DPO to be appointed by public authorities and bodies, by controllers whose core activity involves regular and systematic monitoring of individuals on a large scale, and by controllers carrying out large-scale processing of special categories of data, among other cases.
In Spain, Article 34.1.l of the LOPDGDD expressly adds healthcare facilities that are legally required to keep clinical records. It exempts healthcare professionals who, even though subject to that obligation, practise on an individual basis.
The AEPD (Spanish DPA) states that both public and private healthcare facilities must have a DPO, while the exemption applies to professionals acting privately in an individual capacity. A clinic with its own legal entity, authorisation as a healthcare facility, several practitioners or an organised structure should therefore not assume the exemption applies without a documented analysis.
Indicative Decision Matrix
| Situation | Initial assessment | Recommended action |
|---|---|---|
| Individual dentist, no facility structure | May fall under the exemption | Document the form of practice and check GDPR Article 37 |
| Dental clinic set up as a healthcare facility | DPO mandatory | Appoint and notify the DPO |
| Company with several surgeries or practitioners | Usually a healthcare facility | Assess controllers and appoint a DPO |
| Practitioner working within another clinic | The facility is usually the controller | Confirm contractual roles |
| Group with shared facilities and services | Coordinated, complex processing | Define controllers and DPO scope |
The decision should not be based on patient volume alone. Under Spanish law, what matters is whether the practice qualifies as a healthcare facility and is legally required to keep clinical records.
What an External DPO Brings to the Table
The DPO informs and advises, monitors compliance, takes part in data protection impact assessments, cooperates with the supervisory authority and acts as a point of contact. The DPO must be given timely access to projects and decisions that affect personal data.
An external service can bring specialist expertise and continuity without creating an in-house position, but it must preserve independence. The contract needs to set out scope, availability, team composition, cover arrangements, confidentiality, a direct line to management and the absence of conflicts of interest.
The DPO cannot decide the purposes and means of processing and then supervise their own decisions. For example, whoever runs IT, marketing or data exploitation may face a conflict of interest if they determine the very processing they are meant to oversee.
Appointment and Notification
The clinic must:
- Identify the controller entity or the group's entities.
- Approve the appointment and document independence and resources.
- Notify the DPO's contact details to the AEPD through the designated channel.
- Publish an accessible contact point for patients.
- Inform staff internally about when the DPO must be consulted.
- Guarantee access to management, free from instructions on the DPO's conclusions.
A single DPO can be designated for several entities as long as they remain accessible and have sufficient capacity. The contract should avoid promising a level of attention that cannot realistically be delivered.
Mapping a Dental Clinic's Processing Activities
The clinical record is central, but it is not the only processing activity:
- Admission, appointments and reminders.
- Clinical history, tests, X-rays, photographs and diagnosis.
- Prescriptions, treatment and follow-up.
- Billing, financing and insurers.
- Dental laboratory and other practitioners.
- CCTV and access control.
- Staff recruitment and management.
- Marketing, website, cookies and social media.
- Communications by email, messaging apps or phone.
- Research or teaching activities, where applicable.
- Handling of rights requests, complaints and incidents.
Each activity needs its own purpose, legal basis, data categories, recipients, retention periods, security measures and controller. Consent should not be used as a one-size-fits-all legal basis. Healthcare provision and statutory obligations can provide specific bases; marketing or the publication of images each require separate analysis.
Clinical Records: Custody and Access
Ley 41/2002 (Spain's Patient Autonomy Law) requires healthcare facilities to keep active, diligent custody of clinical records. Access must be justified by care-related, administrative or legal duties. Not all staff need to see the full record.
Minimum controls:
- Individual identities, not shared accounts.
- Access profiles by role and facility.
- Strong authentication for remote access.
- Screen locking and managed devices.
- Access logging and periodic reviews.
- Encryption of laptops, backups and communications.
- Immediate deprovisioning procedure.
- Tested business continuity and restoration.
Clinical conversations should not take place on personal messaging accounts. Where a platform is used, its contract, security, metadata handling, data location, backups and sub-processors must all be assessed.
Photographs, X-Rays and Clinical Case Studies
Clinical images are health data whenever they can be linked to a person or reveal care-related information. Using them for diagnosis is part of treatment; using them on a website, on social media, for training or at conferences is a separate purpose.
Before reusing an image, the clinic must confirm a valid legal basis exists, limit identifying features, and explain the channel, audience, duration and how the image can be withdrawn. Blacking out the eyes does not guarantee anonymisation: teeth, facial features, voice, dates and context can all lead to re-identification.
Teaching material must be kept separate from the operational file and properly protected. If the person can still be identified, it remains personal data.
Vendors and Data Processors
Clinical software providers, cloud services, support desks, dental labs, document-destruction companies, call centres and backup providers may all access data on the clinic's behalf. It must be checked whether each one acts as a processor, an independent controller, or both, depending on the specific operation.
For processors, GDPR Article 28 requires a contract setting out the subject matter, duration, nature, purpose, data types, categories of data subjects and obligations involved. The vendor must offer sufficient guarantees, control its sub-processors, assist with rights requests and incidents, and return or delete the data once the relationship ends.
Minimum Due Diligence
- Storage and support regions.
- Sub-processors and how changes are notified.
- Encryption, authentication and logging.
- Backups, RTO and RPO.
- Use of data for analytics or model training.
- Full, readable data export.
- Deletion on termination, with evidence.
- Incident notification and SLAs.
- International transfers and safeguards.
A signed contract is no substitute for technical verification.
Patient Rights
The clinic must provide a channel for access, rectification, erasure, restriction, objection and other rights requests. Requesters should be identified without asking for disproportionate information, and each request logged with its date, scope and response.
Access to the clinical record must be coordinated with Ley 41/2002 and must protect subjective clinical notes and third-party rights under the applicable terms. Rectifying an administrative detail is not the same as deleting a clinical assessment; the record's integrity and traceability must be preserved.
Erasure is not automatic where a retention obligation exists or the data may be needed to establish liability. A category-based retention policy, with blocking where appropriate, should be applied — data should never be kept indefinitely just in case.
Security Breaches
A clinic must be able to detect, contain and assess incidents such as a lost laptop, ransomware, an email sent to the wrong recipient, access by a former employee, or exposed backups.
The procedure should include:
- An immediate internal reporting channel.
- Containment and preservation of evidence.
- Identification of the data and people affected.
- Likely consequences.
- Measures taken.
- A decision on notifying the AEPD within the applicable deadline.
- Communication to affected individuals where there is high risk.
- A record of every breach, whether or not it is notified.
The vendor must notify the controller without undue delay. The contract needs an operational deadline stricter than the controller's own maximum notification period.
Data Protection Impact Assessment
Not every clinic needs a DPIA for every processing activity, but one must be considered whenever high risk is likely: new technologies, biometrics, systematic monitoring, large-scale data combination, clinical AI tools or significant profiling.
The DPIA describes the processing, its necessity, proportionality, risks to individuals and mitigating measures. The DPO advises, but the clinic approves the assessment and bears the residual risk.
The External DPO's Annual Plan
At the outset
- Confirm controllers, facilities and the appointment.
- Inventory processing activities, systems and vendors.
- Review past incidents, complaints and audits.
- Draw up a risk-based plan.
Every quarter
- Review access grants and removals.
- Sample-check contracts and vendors.
- Verify rights requests and breaches.
- Report risks and pending decisions to management.
Every year
- Audit clinical records, security and retention.
- Test a data restoration and a simulated incident.
- Review training and competence.
- Update the processing register, risk assessments and DPIAs.
- Issue an independent report to management.
The report should clearly distinguish non-compliance issues, risks, recommendations and decisions accepted by management.
How to Choose an External DPO
The choice should not be based on price alone, or on who hands over the most templates. It is worth assessing:
- Healthcare and technical knowledge.
- Team and continuity.
- Independence and conflicts of interest.
- Response times.
- Ability to audit vendors and systems.
- Experience with incidents and DPIAs.
- Reports that are genuinely useful to management.
- Clear boundaries on the scope of the service.
Ask how many actual hours are included, who will be handling the account, how advice is documented, and what happens in the event of a breach. A formal appointment with no real involvement defeats the purpose of the role.
Common Mistakes
- Applying the individual-professional exemption to an organised clinic.
- Appointing a DPO without notifying the authority or publishing contact details.
- Making the DPO report to whoever decides on the processing they oversee.
- Relying on consent for all healthcare processing.
- Sharing clinical software accounts.
- Sending clinical records through personal channels.
- Publishing clinical cases with insufficient anonymisation.
- Signing contracts without checking sub-processors or backups.
- Keeping everything indefinitely.
- Notifying the DPO of projects or incidents too late.
Implementation Checklist
- DPO obligation assessed and documented.
- Appointment notified and contact details published.
- Independence, resources and access to management guaranteed.
- Processing activities and legal bases inventoried.
- Record access controlled by role and logged.
- Vendors assessed and Article 28 contracts reviewed.
- Rights requests, retention and blocking covered by procedures.
- Breach response and restoration tested.
- Photographs and communications separated by purpose.
- DPIA carried out where required.
- Annual plan and management reports in place.
Frequently Asked Questions
Does every dental practice need a DPO?
Not necessarily. The LOPDGDD exempts healthcare professionals who practise individually. A clinic or company organised as a healthcare facility must be assessed differently.
Can the DPO be external?
Yes. They must have the necessary expertise, independence, resources and accessibility.
Is the DPO liable for a penalty?
Liability for compliance rests with the controller or processor. The DPO advises and monitors independently.
Can the DPO also head IT?
A conflict can arise if that person determines the purposes and means of processing. What matters is the actual function performed, not just the job title.
Is consent required to process the clinical record?
Healthcare provision usually relies on other legal bases and exemptions. Patients must still be informed, and each additional purpose analysed separately.
Can the clinic use WhatsApp?
The decision should not be based on popularity alone. The clinic must assess the contract, security, metadata, device, purpose, available alternatives and the patient's reasonable expectations.
Official Sources Consulted
- GDPR, in particular Articles 9, 28 and 32–39.
- LOPDGDD (Spain's Organic Law 3/2018 on Data Protection), Article 34.1.l.
- Ley 41/2002 (Spain's Patient Autonomy Law).
- AEPD (Spanish DPA): guide for healthcare professionals.
- AEPD (Spanish DPA): guide for patients and healthcare users.
Summum Consultoría can take on the external DPO role with a risk-based plan. The appointment does not replace the clinic's own decisions or specific healthcare advice.