External DPO for Dental Clinics: A Guide

·

A dental clinic set up as a healthcare facility and legally required to keep clinical records must appoint a data protection officer (DPO). The LOPDGDD (Spain's Organic Law 3/2018 on Data Protection) exempts healthcare professionals who practise individually, but applying that exemption requires examining the clinic's actual structure: staff, corporate form, authorised facility status, shared resources and who effectively controls the data. The DPO can be external, must act independently, and does not take over the clinic's own responsibility.

When Is a DPO Mandatory in Dental Practice

Article 37 of the GDPR requires a DPO to be appointed by public authorities and bodies, by controllers whose core activity involves regular and systematic monitoring of individuals on a large scale, and by controllers carrying out large-scale processing of special categories of data, among other cases.

In Spain, Article 34.1.l of the LOPDGDD expressly adds healthcare facilities that are legally required to keep clinical records. It exempts healthcare professionals who, even though subject to that obligation, practise on an individual basis.

The AEPD (Spanish DPA) states that both public and private healthcare facilities must have a DPO, while the exemption applies to professionals acting privately in an individual capacity. A clinic with its own legal entity, authorisation as a healthcare facility, several practitioners or an organised structure should therefore not assume the exemption applies without a documented analysis.

Indicative Decision Matrix

Situation Initial assessment Recommended action
Individual dentist, no facility structure May fall under the exemption Document the form of practice and check GDPR Article 37
Dental clinic set up as a healthcare facility DPO mandatory Appoint and notify the DPO
Company with several surgeries or practitioners Usually a healthcare facility Assess controllers and appoint a DPO
Practitioner working within another clinic The facility is usually the controller Confirm contractual roles
Group with shared facilities and services Coordinated, complex processing Define controllers and DPO scope

The decision should not be based on patient volume alone. Under Spanish law, what matters is whether the practice qualifies as a healthcare facility and is legally required to keep clinical records.

What an External DPO Brings to the Table

The DPO informs and advises, monitors compliance, takes part in data protection impact assessments, cooperates with the supervisory authority and acts as a point of contact. The DPO must be given timely access to projects and decisions that affect personal data.

An external service can bring specialist expertise and continuity without creating an in-house position, but it must preserve independence. The contract needs to set out scope, availability, team composition, cover arrangements, confidentiality, a direct line to management and the absence of conflicts of interest.

The DPO cannot decide the purposes and means of processing and then supervise their own decisions. For example, whoever runs IT, marketing or data exploitation may face a conflict of interest if they determine the very processing they are meant to oversee.

Appointment and Notification

The clinic must:

  1. Identify the controller entity or the group's entities.
  2. Approve the appointment and document independence and resources.
  3. Notify the DPO's contact details to the AEPD through the designated channel.
  4. Publish an accessible contact point for patients.
  5. Inform staff internally about when the DPO must be consulted.
  6. Guarantee access to management, free from instructions on the DPO's conclusions.

A single DPO can be designated for several entities as long as they remain accessible and have sufficient capacity. The contract should avoid promising a level of attention that cannot realistically be delivered.

Mapping a Dental Clinic's Processing Activities

The clinical record is central, but it is not the only processing activity:

Each activity needs its own purpose, legal basis, data categories, recipients, retention periods, security measures and controller. Consent should not be used as a one-size-fits-all legal basis. Healthcare provision and statutory obligations can provide specific bases; marketing or the publication of images each require separate analysis.

Clinical Records: Custody and Access

Ley 41/2002 (Spain's Patient Autonomy Law) requires healthcare facilities to keep active, diligent custody of clinical records. Access must be justified by care-related, administrative or legal duties. Not all staff need to see the full record.

Minimum controls:

Clinical conversations should not take place on personal messaging accounts. Where a platform is used, its contract, security, metadata handling, data location, backups and sub-processors must all be assessed.

Photographs, X-Rays and Clinical Case Studies

Clinical images are health data whenever they can be linked to a person or reveal care-related information. Using them for diagnosis is part of treatment; using them on a website, on social media, for training or at conferences is a separate purpose.

Before reusing an image, the clinic must confirm a valid legal basis exists, limit identifying features, and explain the channel, audience, duration and how the image can be withdrawn. Blacking out the eyes does not guarantee anonymisation: teeth, facial features, voice, dates and context can all lead to re-identification.

Teaching material must be kept separate from the operational file and properly protected. If the person can still be identified, it remains personal data.

Vendors and Data Processors

Clinical software providers, cloud services, support desks, dental labs, document-destruction companies, call centres and backup providers may all access data on the clinic's behalf. It must be checked whether each one acts as a processor, an independent controller, or both, depending on the specific operation.

For processors, GDPR Article 28 requires a contract setting out the subject matter, duration, nature, purpose, data types, categories of data subjects and obligations involved. The vendor must offer sufficient guarantees, control its sub-processors, assist with rights requests and incidents, and return or delete the data once the relationship ends.

Minimum Due Diligence

A signed contract is no substitute for technical verification.

Patient Rights

The clinic must provide a channel for access, rectification, erasure, restriction, objection and other rights requests. Requesters should be identified without asking for disproportionate information, and each request logged with its date, scope and response.

Access to the clinical record must be coordinated with Ley 41/2002 and must protect subjective clinical notes and third-party rights under the applicable terms. Rectifying an administrative detail is not the same as deleting a clinical assessment; the record's integrity and traceability must be preserved.

Erasure is not automatic where a retention obligation exists or the data may be needed to establish liability. A category-based retention policy, with blocking where appropriate, should be applied — data should never be kept indefinitely just in case.

Security Breaches

A clinic must be able to detect, contain and assess incidents such as a lost laptop, ransomware, an email sent to the wrong recipient, access by a former employee, or exposed backups.

The procedure should include:

  1. An immediate internal reporting channel.
  2. Containment and preservation of evidence.
  3. Identification of the data and people affected.
  4. Likely consequences.
  5. Measures taken.
  6. A decision on notifying the AEPD within the applicable deadline.
  7. Communication to affected individuals where there is high risk.
  8. A record of every breach, whether or not it is notified.

The vendor must notify the controller without undue delay. The contract needs an operational deadline stricter than the controller's own maximum notification period.

Data Protection Impact Assessment

Not every clinic needs a DPIA for every processing activity, but one must be considered whenever high risk is likely: new technologies, biometrics, systematic monitoring, large-scale data combination, clinical AI tools or significant profiling.

The DPIA describes the processing, its necessity, proportionality, risks to individuals and mitigating measures. The DPO advises, but the clinic approves the assessment and bears the residual risk.

The External DPO's Annual Plan

At the outset

Every quarter

Every year

The report should clearly distinguish non-compliance issues, risks, recommendations and decisions accepted by management.

How to Choose an External DPO

The choice should not be based on price alone, or on who hands over the most templates. It is worth assessing:

Ask how many actual hours are included, who will be handling the account, how advice is documented, and what happens in the event of a breach. A formal appointment with no real involvement defeats the purpose of the role.

Common Mistakes

  1. Applying the individual-professional exemption to an organised clinic.
  2. Appointing a DPO without notifying the authority or publishing contact details.
  3. Making the DPO report to whoever decides on the processing they oversee.
  4. Relying on consent for all healthcare processing.
  5. Sharing clinical software accounts.
  6. Sending clinical records through personal channels.
  7. Publishing clinical cases with insufficient anonymisation.
  8. Signing contracts without checking sub-processors or backups.
  9. Keeping everything indefinitely.
  10. Notifying the DPO of projects or incidents too late.

Implementation Checklist

Frequently Asked Questions

Does every dental practice need a DPO?

Not necessarily. The LOPDGDD exempts healthcare professionals who practise individually. A clinic or company organised as a healthcare facility must be assessed differently.

Can the DPO be external?

Yes. They must have the necessary expertise, independence, resources and accessibility.

Is the DPO liable for a penalty?

Liability for compliance rests with the controller or processor. The DPO advises and monitors independently.

Can the DPO also head IT?

A conflict can arise if that person determines the purposes and means of processing. What matters is the actual function performed, not just the job title.

Is consent required to process the clinical record?

Healthcare provision usually relies on other legal bases and exemptions. Patients must still be informed, and each additional purpose analysed separately.

Can the clinic use WhatsApp?

The decision should not be based on popularity alone. The clinic must assess the contract, security, metadata, device, purpose, available alternatives and the patient's reasonable expectations.

Official Sources Consulted

Summum Consultoría can take on the external DPO role with a risk-based plan. The appointment does not replace the clinic's own decisions or specific healthcare advice.