What is a data protection delegate?

With the entry into force, one year ago, of the Regulation (EU) 2016 / 679 of the European Parliament and of the Council, of 27 of April of 2016, relative to the protection of the individuals with regard to the treatment of personal data and the free circulation of these data (RGPD) and six months of the Organic Law 3 / 2018, of 5 of December, of Protection of Personal Data and Guarantees of Digital Rights (LOPDGDD), the figure of the Delegate of Data Protection or "DPD" (DPO, in its acronym in English, Data Protection Officer), as that natural or legal person, internal or external, acting in the Responsible [1] or in the Person in charge of the Treatment [2], to protect the personal data being designated according to their professional qualities and their specialized knowledge of the Law and the practice of data protection and its capacity to perform the functions established in the RGPD, which we will later indicate.

data protection delegateDo I need a Data Protection Delegate in the health field?

Focusing on this health area, both public and private, this new figure will only be mandatory if it is about (i) Public authorities and bodies; (ii) Managers or managers who have among their main activities the treatment operations that require a regular and systematic observation of large-scale stakeholders; (iii) Persons in charge or in charge who have among their main activities the treatment of sensitive data on a large scale. Among others, the sensitive data are those related to health data, being these usually treated in health centers, both public and private.

Going back to the question we asked ourselves, about the need or not to have a Delegate for Data Protection in our Health Center:

The answer is none other than the obligation to adapt to European regulations that already exist in this regard, but also to protect patient data, especially if they refer to health, genetic and biometric data.

Therefore, if we treat health data in our Health Center, we must have a Delegate of Data Protection. But by the fact of treating health data should we always have a DPD? No, there is an exception as to who should have this figure and, taking as reference the 91 Recital GDPR, "the treatment of personal data should not be considered on a large scale if it is done, regarding personal data of patients, a single doctor, another health professional ... ", Single-person medical offices should not have a Delegate for Data Protection. This position has been reinforced by article 34.1 l) of the LOPDGDD, which states that "Health professionals are excepted, even though they are legally required to maintain the patients' medical records, to exercise their activity individually. "

Following the assumptions in which, if it is necessary to have a DPD, the current LOPDGDD, confirms the criteria established in Article 37 of the RGPD, establishing that they must have a DPD, «The health centers legally obliged to maintain the patient's medical records«.

Therefore, it is clear that health centers that do not act individually and that treat health data must have a Delegate of Data Protection, now we will explain what position this professional should have within the organization of the Health Center.

The Health Center will guarantee that the Delegate of Data Protection Participate appropriately and in a timely manner in all matters relating to the protection of personal data. They must also support the Data Protection Delegate in the performance of their duties, providing the necessary resources for the performance of the same and access to personal data and treatment operations.

For his part, Delegate of Data Protection, must be independent, not receiving any instruction regarding the performance of these functions. Nor will it be dismissed or sanctioned by the Health Center for performing its functions, reporting directly to the highest level of the hierarchy.

El Delegate of Data Protection he must maintain secrecy or confidentiality with regard to the performance of his duties and may perform other functions and tasks, provided that they do not give rise to a conflict of interest.


But what are the functions of DPD?

These functions are included in article 39 of the RGPD, being basically the following:

  1. Inform and advise the Health Center and the employees that deal with the treatment of data protection obligations;
  2. Supervise compliance with the provisions of the RGPD, and the policies of the Health Center regarding the protection of personal data, including the assignment of responsibilities, the awareness and training of personnel involved in treatment operations, and the corresponding audits;
  3. Offer the advice requested about the impact evaluation regarding data protection and supervise its application;
  4. Cooperate with the control authority, this with the Spanish Agency for Data Protection or the Catalan Data Protection Agency, if applicable;
  5. Act as the contact point of the supervisory authority for matters relating to treatment, including prior consultation, and consult, as appropriate, on any other matter.

Therefore, it is clear that Health Centers, Hospitals, clinics, polyclinics, medical consultations both public and private, must have in their management teams, with trained professionals to perform the position of Delegate of Data Protection. These professionals must be appointed according to their professional qualities and their specialized knowledge of law and practice in terms of data protection, so it is not advisable to understand that it is enough to appoint a person within the organization, and that this one appears as Delegate of Data Protection, without having the necessary legal, technical and practical knowledge on the subject, since the application of such regulations is becoming increasingly complex. Likewise, the LOPDGDD considers that a serious infraction "The breach of the obligation to appoint a delegate of data protection when his appointment is required in accordance with article 37 of Regulation (EU) 2016 / 679 and article 34 of this organic law".

Finally, indicate that the Data Protection Delegates, we are a figure that we come to help, clarify and train, on the right to the protection of data of people, acting as a link between the competent authority and the Health Center and ensuring the compliance with the policies and good practices developed by the Health Centers. Trust a professional to perform this task.

[1] "Responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment; if the law of the Union or of the Member States determines the aims and means of processing, the controller or the specific criteria for his appointment may be established by Union or Member State law;

[2] 'Processor' or 'in charge': the natural or legal person, public authority, service or other body that processes personal data on behalf of the controller;

About the Author:


José Manuel Rodriguez

DiG Lawyers