The Spanish data protection authority ('AEPD') added, on 3 May 2022, a new section under the 'Areas of action' section of its portal relating to health and data protection. In particular, the new section comprises six sub-sections. Firstly, sub-section one outlines rights in relation to health data explaining the regime under Article 9 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), how to exercise the right of access under Article 18 of Law 41/2002, of November 14, which regulates basic patient autonomy and rights and obligations in terms of information and clinical documentation, how a claim can be submitted to the AEPD in case where the right of access is denied, the retention of clinical histories, and the limitations to the right of deletion. Secondly, sub-section two focuses on relevant reports and guides prepared by the AEPD, including the Guide to data protection in labour relations, and reports by the Legal Cabinet of the AEPD grouped under key themes, including clinical history, clinical trials, and occupational health. Thirdly, sub-section three looks at data protection and COVID-19 which brings together all resources prepared by the AEPD in relation to COVID-19.

Fourthly, sub-section four addresses health research and clinical trials which compiles relevant guidance, as well as the Code of Conduct regulating the processing of personal data in the field of clinical trials and other clinical research and pharmacovigilance. Fifthly, sub-section five looks at health-related claims and outlines, among other things, that the AEPD has received multiple complaints regarding the exercise of rights to medical records, access to the clinical history of deceased patients by their direct relatives, and unlawful access to medical records by medical professionals. Sixthly, sub-section six focuses on personal data breaches in the healthcare sector, outlining the obligations of data controllers and the measures that should be taken to ensure compliance with the GDPR, highlighting that, in the case of health data processing, there will be risk factors that go beyond special categories of data being processed and risk factors that will depend on, among other things, the nature of the health processing in question, such as eHealth, IoT or mobile devices, and storage in cloud systems. Specifically on this topic, the AEPD noted that in the second half of 2021, 15% of the notifications of breaches received by the AEPD were made by data controllers operating in the healthcare sector.

You can read the press release here and access the new section here, both only available in Spanish.