The Incident (The "Medical Note" Limbo): On 7 April 2025, a patient emailed the clinic (Smile2Impress) specifically requesting a full, updated copy of their medical history ("Con todo lo nuevo adjúntame mi historial clínico"). The clinic’s patient support team replied the same day with a standard holding message: "I am passing a note to the medical team so they can provide me with your visit history... I will send it to you as soon as possible."
The Administrative Failure: Despite this immediate acknowledgment, the internal communication chain broke down. The "note" passed to the medical team resulted in no action. The statutory one-month deadline (7 May 2025) passed with absolute silence, leaving the patient without their data.
The "Trigger" and the Defence: The patient filed a complaint with the AEPD on 14 May. Crucially, the clinic only reacted after the AEPD formally notified them of the complaint on 10 June 2025.
The Reaction: The very next day (11 June), the clinic finally emailed the patient the missing records.
The Defence: In their legal submissions, the clinic argued that they had already provided "part" of the medical history in December 2024 (six months prior). They claimed that by sending the "rest" of the files in June 2025, they had fully complied.
The AEPD Ruling (Formal Estimation): The Agency ruled against the clinic, rejecting the "we sent it before" defence. The ruling established two key precedents for healthcare providers:
Iterative Rights: A patient has the right to request their history repeatedly. The fact that they received a copy in December 2024 is irrelevant to an April 2025 request. The controller must provide the current state of the file, not rely on past deliveries.
The "AEPD Wake-Up Call": The Agency noted that the clinic only fulfilled the request after the AEPD intervened. Since the response was provided on 11 June—two months after the request—it was legally extemporaneous (late). While no fine was issued because the data was eventually sent, the clinic was formally reprimanded for the breach of Article 12 GDPR (Time Limits).
1. The "Reiteration" Principle In this case, the respondent argued they had already provided the medical history six months prior (December 2024). The AEPD ruling clarifies that the Right of Access is iterative.
Protocol: You cannot deny a current request by citing a previous delivery. If the data has not changed since the last request, the Data Controller is legally obliged to either resend the data or formally certify that "no new data has been generated since the delivery on [Date]." Silence is not a valid legal response.
2. The "Receipt vs. Response" Distinction Smile2Impress sent an immediate acknowledgment ("We will send it soon"), but the AEPD ruled the response extemporaneous (late) because the actual data arrived after the 30-day window.
Protocol: Automated "We have received your request" emails do not stop the statutory clock. The 30-day countdown (Article 12.3 GDPR) refers to the material delivery of the file, not the administrative acknowledgment.
3. Integration of Law 41/2002 The AEPD specifically cited Law 41/2002 (Patient Autonomy) alongside the GDPR.
Protocol: Your Data Protection Officer (DPO) must ensure your retrieval systems encompass the "minimum content" of a clinical history defined in Article 15 of Law 41/2002 (anamnesis, surgical reports, anaesthesia logs, nursing notes). A partial delivery (e.g., just X-rays) constitutes an infringement of the Right of Access in the healthcare sector.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.