Proteccion de datos

Healthcare GDPR

Health data is the most protected category under the GDPR: incorrect handling can trigger fines of up to €20 million or 4% of global turnover. We help clinics, medical practices, diagnostic centres and care homes comply precisely, without disrupting day-to-day patient care.

Applicable regulationGDPR (EU) 2016/679 · LOPDGDD 3/2018
ProfileClinics, medical practices, diagnostic centres, care homes
DeliveryOn-site and remote · Castilla y León and Canary Islands

The healthcare sector handles exceptionally sensitive data: diagnoses, treatments, test results, clinical histories. Article 9 of the GDPR classifies these as special category data and requires reinforced technical and organisational measures. For a private health centre or specialist practice, this is not optional red tape: the Spanish Data Protection Agency (AEPD) has imposed multi-million-euro sanctions on dental clinics, laboratories and hospitals for deficiencies in consent management, uncontrolled access or late breach notification.

The most common problem is not bad intent but disorganisation: incomplete records of processing activities, informed consent forms that conflate clinical and commercial purposes, inadequate contracts with clinical software providers or cleaning services, and the absence of a real incident response protocol. When a data leak or an AEPD complaint arises, the centre discovers it has no documentation to demonstrate it acted correctly.

Summum Consultoría has been supporting organisations through compliance projects since 2007. In the healthcare sector we work side by side with the centre manager to build a data protection system the team can maintain day to day, without relying on an external lawyer for every question. We coordinate with Summum Sistemas when the solution requires strengthening technical controls in clinical software, and with Summum IA when the centre uses AI-assisted diagnostic tools or automated data processing.

The Healthcare GDPR process.

The process · four stages
01

Initial diagnostic

Analysis of the centre's data flows: what information is collected, who accesses it, with which systems and under which contracts. We identify the gaps against the GDPR and LOPDGDD 3/2018 and prioritise actions according to actual risk.

02

Documentary implementation

We draft or update the record of processing activities, privacy policies and informed consent forms differentiated by purpose (clinical care, research, communications). We review and complete contracts with data processors: laboratories, clinical software, outsourced services.

03

Technical and organisational measures

We define the access control policy, password management, encryption of clinical records and query traceability. We establish the procedure for notifying breaches to the AEPD within 72 hours and the protocol for handling patients' rights requests (access, rectification, erasure, portability).

04

Training and ongoing maintenance

We train administrative and clinical staff on their specific obligations. We provide an annual system review, updates in response to regulatory changes and, optionally, the external Data Protection Officer (DPO) service that the GDPR requires of certain healthcare centres.

What is included

What Healthcare GDPR includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of processing activities

    The central document required by Article 30 GDPR. We prepare it for all the centre's processing activities: clinical records, appointment management, billing, video surveillance, human resources.

  • Data Protection Impact Assessment (DPIA)

    Mandatory when processing entails high risk (automated diagnostic systems, genetic data, large-scale processing). We carry out the analysis and document the measures adopted.

  • Data processor contracts

    Review and signing of agreements with clinical software providers, external laboratories, cleaning and maintenance services, telephony and any third party that accesses the centre's data.

  • Consents and information clauses

    Drafting of informed consent forms differentiated by purpose, GDPR clauses in patient contracts, legal notices and cookie policies adapted to healthcare activity.

  • Security breach protocol

    Internal procedure for detection, containment, notification to the AEPD within 72 hours and communication to affected individuals where required, in accordance with Article 33 GDPR.

  • External DPO (optional)

    Data Protection Officer service for centres required to appoint one (clinics with large-scale processing of health data) or that wish to have an independent expert accredited with the AEPD.

Summum cluster

How it connects with its sisters.

Healthcare regulatory compliance cuts across all five divisions of Grupo Summum: legal consultancy is our responsibility, technical controls in clinical software are reinforced by Summum Sistemas, and AI-assisted diagnostic or healthcare AI projects are supported by Summum IA through the lens of the AI Act and the GDPR.

Frequently asked questions about Healthcare GDPR.

Which healthcare centres are required to appoint a DPO?

The GDPR requires a Data Protection Officer to be appointed by controllers whose core activity is the large-scale processing of special categories of data (Article 37.1.c). The AEPD has indicated that hospitals, clinics with a significant patient volume and clinical analysis laboratories fall within this obligation. For individual practices or small centres it is not always mandatory, but it is highly advisable as a proactive accountability measure.

What happens if a patient requests the deletion of their data?

The right to erasure under Article 17 GDPR has relevant exceptions in healthcare: clinical history data must be retained in accordance with regional health legislation (typically 5 years from discharge, although this varies by autonomous community). The centre must respond within one month, explain the legal basis for retention and erase only the data not covered by that legal obligation.

How long do we have to notify the AEPD of a data breach?

Article 33 of the GDPR sets a maximum deadline of 72 hours from the moment the controller becomes aware of the breach, provided it is likely to result in a risk to the rights of those affected. In healthcare, almost any breach involving clinical records exceeds that threshold. Late notification or failure to notify are serious infringements. Having the protocol prepared in advance is the only practical way to meet the deadline.

Is medical informed consent the same as GDPR consent?

They are not the same. Patient informed consent for a medical procedure or treatment is governed by Law 41/2002 on patient autonomy. Consent for the processing of personal data is regulated by the GDPR and has its own requirements: it must be freely given, informed, specific and unambiguous, and separate by purpose. A single document may cover both aspects, but it must be drafted carefully so that both sections are legally correct.

What about clinical management software providers?

They are data processors and the centre is required to sign a data processing agreement with them under Article 28 GDPR, governing what data they handle, for what purpose, for how long and what security measures they apply. If the provider does not offer such an agreement or its terms are deficient, the centre remains liable to the AEPD. We review those contracts as part of the compliance project.