AEPD Resolution: EXP202504969

A former employee of a dental clinic filed a complaint after being dismissed in January 2025. During her employment (April 2024 – January 2025), she observed that the clinic operated a video surveillance system with cameras in both the reception area and the treatment room (gabinete). She alleged that:

• Patients were not informed they could be recorded during dental procedures
• No visible signage warned of video surveillance in the reception area
• The system captured both images and audio
• Recordings were retained beyond legal limits

The employee provided photographic evidence showing cameras installed without accompanying information signs in the reception area.

The Dental Practice's Defence: The clinic owner (A.A.A.) responded by explaining that the surveillance system, installed and managed by a security company since 2016, served exclusively security purposes. The owner claimed:

• Two devices were installed: a video camera in the treatment room and a photo camera in reception
• Both had information signs (though photographic evidence suggested otherwise initially)
• Images were stored for a maximum of seven days before automatic deletion
• Audio was only captured in the treatment room for security purposes
• Access to footage required password and facial recognition authentication
• The system was not used for labour monitoring (which was handled through signed timesheets)

The AEPD's Investigation: The Spanish Data Protection Authority examined whether the video surveillance system complied with the data minimisation principle under Article 5.1(c) GDPR. The critical finding centred on the camera installed inside the treatment room.

The Core Ruling: The AEPD determined that whilst video surveillance for security purposes is permissible under Article 22 LOPDGDD, the implementation must be proportionate and limited to what is strictly necessary. The Authority found:

1. Treatment Room Surveillance Excessive: Recording patients continuously during dental procedures—when they may be in vulnerable positions for extended periods—violated the data minimisation principle. The constant capture of images and audio during medical treatments was disproportionate to the stated security objective.
2. Audio Recording Particularly Problematic: The Constitutional Court jurisprudence (STC 98/2000) establishes that audio surveillance is subject to more restrictive standards than video alone. Recording conversations between patients and dental staff went beyond what could be justified for security purposes, capturing private comments completely unrelated to any legitimate business interest.
3. Retention Period Concern: All patient data was retained for seven days, meaning every patient who attended during that period had their treatment sessions recorded and stored, regardless of any security incident.

Proportionality Assessment: The AEPD applied a three-part test:

• Is the measure capable of achieving the stated objective? (Yes)
• Is there a less intrusive alternative? (Potentially)
• Are the benefits balanced against the harm? (No—the intrusion on patient privacy far outweighed the security benefit)

The resolution distinguished this case from legitimate workplace surveillance under Article 89 LOPDGDD, confirming the clinic's stated security purpose fell under Article 22 LOPDGDD but failed to meet its proportionality requirements.

Based on Resolution EXP202504969, healthcare providers and businesses using video surveillance should implement the following protocol:

1. Apply Strict Proportionality in Sensitive Areas

Medical treatment rooms, consultation spaces, and similar areas require heightened privacy protection.

Action: Before installing cameras in spaces where patients or clients are in vulnerable situations, conduct a proportionality assessment:

• Can security be achieved without constant surveillance of the space?
• Would time-limited activation (e.g., only when premises are empty) suffice?
• Can the camera be positioned to monitor entry points without capturing the treatment area?

Legal Shield: Article 5.1(c) GDPR requires data minimisation. Courts will scrutinise whether continuous surveillance was truly necessary.

2. Audio Surveillance Requires Exceptional Justification

Audio recording faces much stricter legal standards than video alone.

Protocol:

• Default position: Do NOT record audio
• Only consider audio if you can demonstrate "relevant risks for the security of installations, goods and persons" that cannot be addressed otherwise
• Document your risk assessment showing why audio is essential
• Ensure compliance with Article 89.3 LOPDGDD if the recording could affect employees

Red Line: Never record audio in medical consultation rooms, therapy spaces, or similar settings where private conversations are expected.

3. Time-Limited Recording in Sensitive Spaces

If surveillance in treatment areas is genuinely necessary, avoid constant recording.

Action: Configure cameras to:

• Activate only during specific circumstances (e.g., after-hours when premises are empty)
• Require manual activation by authorised personnel when needed
• Automatically cease recording when the space is in use for its primary purpose

4. The Seven-Day Retention Standard

Storing footage for seven days is acceptable, but only if the initial collection was lawful.

Important: Lawful retention periods cannot cure unlawful initial collection. If you shouldn't have recorded the data in the first place, storing it for one day or seven days is equally problematic.

5. Properly Informed Consent in Healthcare Settings

If you determine that surveillance is necessary in clinical spaces, patient consent becomes critical.

Action:

• Provide clear, prominent signage using the two-layer system required by Article 22 LOPDGDD
• First layer (on-site sign): Inform of surveillance existence, controller identity, and where to get more information
• Second layer (available document): Complete Article 13 GDPR information
• Consider explicit written consent for treatment room surveillance
• Explain why the surveillance is necessary and what security risk it addresses

6. Distinguish Security from Labour Control

The clinic owner correctly distinguished between security surveillance (Article 22 LOPDGDD) and labour control (Article 89 LOPDGDD).

Critical Rule: You cannot use footage collected for security purposes to subsequently monitor employee performance or attendance. If you want to monitor workers:

• Comply with Article 89 LOPDGDD requirements
• Provide advance notice to workers and their representatives
• Never install cameras in rest areas, toilets, changing rooms, or break rooms
• Document the separate legal basis and purpose

7. Conduct Data Protection Impact Assessments

Before installing surveillance in healthcare or other sensitive settings, complete a DPIA.

Required Elements:

• Description of the processing and its purposes
• Assessment of necessity and proportionality
• Assessment of risks to data subjects' rights
• Measures to address those risks
• If high risk cannot be mitigated, consult the AEPD before proceeding

8. Immediate Compliance Actions for Healthcare Providers

If you currently operate surveillance in treatment rooms:

Within 30 Days:

• Review camera positioning and coverage
• Determine if treatment areas are being continuously recorded
• Check if audio is being captured

Within 90 Days (as required in this case):

• Reorient cameras to exclude treatment areas, or
• Remove cameras from treatment rooms entirely, or
• Implement time-limited activation that prevents recording during patient consultations

Document Everything:

• Keep records of your proportionality assessment
• Maintain evidence of compliance with any remedial orders
• Document your legal basis and necessity justification

Summary of Business Risk

This resolution establishes that healthcare providers face significant penalties for surveillance systems that fail proportionality tests, even when implemented with genuine security intentions. The €2,000 fine (reduced to €1,200) was relatively modest, but the case demonstrates the AEPD's willingness to scrutinise surveillance in sensitive settings.

Key Risks:

• Continuous surveillance of medical/clinical spaces will likely be deemed excessive
• Audio recording in consultation rooms faces particularly strict scrutiny
• "Security" cannot be invoked as a blanket justification—you must prove proportionality
• Seven-day retention is acceptable only if the initial collection was lawful

Critical Protection: Healthcare providers should presume that treatment room surveillance is unlawful unless they can demonstrate exceptional circumstances that make it absolutely necessary and proportionate. When in doubt, exclude clinical spaces from video surveillance systems.