AEPD Resolution: EXP202515419

The Incident (The Public Health Service Silence): A patient in the Balearic Islands submitted a formal data access request to IbSalut (Servicio de Salud de las Illes Balears), the public healthcare service responsible for hospitals and medical facilities across Mallorca, Menorca, Ibiza, and Formentera. The patient exercised their Article 15 GDPR right on 23 July 2025, requesting access to their personal health data held by the regional health authority. This is a common and legitimate request—patients often need their medical records for second opinions, insurance claims, disability applications, legal proceedings, or simply to understand their treatment history.

The Complete Non-Response: IbSalut never responded to the patient's access request. Not a single acknowledgment, not a "we're working on it" interim message, not even a rejection letter. Absolute silence. The patient waited the mandatory 30 days required by Article 12.3 GDPR, then waited longer, giving the health authority every opportunity to comply. Nothing. No communication whatsoever.

The AEPD Investigation and Continued Silence: Frustrated by the total absence of response, the patient filed a formal GDPR complaint with the AEPD. Following standard procedure, the AEPD transferred the complaint to IbSalut under Article 65.4 LOPDGDD, giving the health authority an opportunity to explain the delay and provide the requested medical records. IbSalut ignored this regulatory communication as well. On 23 October 2025, the AEPD formally admitted the case for full investigation and granted IbSalut a formal hearing period, requiring them to submit written defences. IbSalut ignored this too.

The Core Ruling (Full Enforcement Order): The AEPD ruled decisively in favour of the patient, finding that IbSalut violated Article 15 GDPR by completely failing to respond to a legitimate access request. The regulator issued a binding enforcement order under Article 58.2(d) RGPD requiring IbSalut to provide the requested medical data or a reasoned refusal within 10 business days of the resolution becoming final. The AEPD explicitly warned that failure to comply with this order would trigger a separate, additional sanction procedure for non-compliance with a regulatory directive, classified as a "very serious" infraction under Article 72.1(m) LOPDGDD, potentially resulting in substantial fines.

Based on Resolution EXP202515419, here is the compliance protocol for healthcare providers, public health services, hospitals, and medical professionals:

1. Public Healthcare Services Have No Exemption from GDPR

IbSalut is a public entity (regional government health service), yet the AEPD applied exactly the same standards as for private hospitals or clinics.

Legal Reality: Public healthcare providers are data controllers under Article 4(7) GDPR and must comply with all GDPR obligations including:

• Responding to access requests within 30 days (Article 12.3)
• Providing requested data in accessible format (Article 15.3)
• Implementing appropriate organisational measures to facilitate rights exercise (Article 12.1)

No Exceptions For:

• "We're understaffed" or "budget constraints"
• "Medical records are complex to retrieve"
• "We're a public service, not a business"
• "The patient can just request records through their doctor"

Action: Public hospitals, regional health services, national health systems, and municipal health centres must implement the same GDPR compliance procedures as private healthcare providers. No special leniency is granted.

2. Medical Records Access Requests Are Among the Most Common GDPR Rights

Healthcare providers should expect frequent access requests and must have efficient systems to process them.

Why Patients Request Medical Records:

• Second medical opinions
• Switching healthcare providers (new GP, new hospital)
• Insurance claims (life insurance, disability insurance, health insurance disputes)
• Legal proceedings (medical malpractice claims, disability benefits applications, employment disputes)
• Personal health management (tracking chronic conditions, understanding diagnoses)
• Research or genetic testing
• Immigration or visa applications requiring medical certificates

Statistical Reality: In healthcare, access requests are routine operations, not exceptional events. Larger hospitals may receive dozens per month.

Action: Healthcare providers must establish dedicated medical records departments with clear procedures for processing GDPR access requests, not treat them as rare administrative burdens.

3. The 30-Day Deadline Applies to Complex Medical Records

Healthcare providers often claim medical records are "too complex" to provide within 30 days. The AEPD rejects this.

Why Medical Complexity Is Not an Excuse:

Article 12.3 GDPR Extension Provision:
If a request is "complex," controllers may extend the deadline by up to two additional months. However, they must:

• Notify the data subject of the extension within the original 30-day period
• Explain specifically why the extension is necessary
• Provide a new estimated completion date