AEPD Resolution: EXP202519154

The Incident (The Healthcare Data Delay): A citizen submitted a formal request to the Madrid Regional Health Department (Consejería de Sanidad de la Comunidad de Madrid) exercising their right of access under Article 15 GDPR. The request sought access to personal health data held by the public health authority. Despite the legal requirement to respond within one month (30 days) under Article 12.3 GDPR, the Health Department failed to respond within the statutory deadline.

The Complaint: After receiving no response within the required timeframe, the citizen filed a complaint with the AEPD on 14 September 2025, alleging that the Health Department had ignored their data access request entirely. The complainant provided documentation proving they had properly submitted the request and had received no acknowledgment or response from the public authority.

The Initial AEPD Investigation: Following standard procedure, the AEPD transferred the complaint to the Health Department under Article 65.4 LOPDGDD, giving them an opportunity to explain the delay and provide the requested information. When the Health Department's initial response failed to satisfy the complainant's legitimate expectations, the AEPD formally admitted the case for full investigation on 14 December 2025.

The Belated Response: Only after the AEPD opened a formal investigation did the Madrid Health Department finally respond to the citizen's access request. The department provided the requested personal data and documentation—but this response came months after the original 30-day legal deadline had expired. Essentially, the Health Department only complied with GDPR obligations when facing regulatory scrutiny, not when the citizen first exercised their rights.

The Core Ruling (Formal Estimation Without Additional Action): The AEPD ruled in favour of the complainant, finding that the Health Department violated Article 15 GDPR by failing to respond within the mandatory one-month period. However, because the department had finally provided the requested data during the AEPD investigation (albeit late), the regulator did not order the department to issue a new response or take additional corrective action. This is a "formal estimation"—the AEPD officially recognises the violation occurred and validates the complainant's grievance, but does not impose further remedial measures because the substantive right has now been satisfied (though tardily).

Based on Resolution EXP202519154, here is the compliance protocol for public authorities, healthcare providers, and all data controllers handling rights requests:

1. The 30-Day Deadline Is Absolute, Not Advisory

This case confirms that Article 12.3 GDPR's one-month response deadline is a hard legal requirement, not a suggested target.

Legal Reality: Even if you eventually provide the data (as Madrid's Health Department did), failing to respond within 30 days is itself a regulatory violation that can be formally upheld by the AEPD.

Action: Implement automatic calendar reminders and escalation protocols:

• Day 1: Log the request in a tracking system with a deadline date
• Day 15: Mid-point review—ensure the request is being processed
• Day 25: Final alert—response must be sent within 5 days
• Day 28: Emergency escalation if response is not ready

2. "Better Late Than Never" Does Not Erase Liability

The Health Department's eventual compliance during the AEPD investigation did not absolve them of the violation.

Key Principle: Responding late avoids compounding the problem (non-compliance + obstruction), but the initial failure to meet the deadline remains a breach. The AEPD can still formally rule against you, creating a regulatory record that may influence future enforcement decisions or sanctions.

Action: If you miss the 30-day deadline, immediately send an interim response explaining:

• Why the delay occurred
• When the full response will be provided
• An apology for the inconvenience

This demonstrates good faith and may reduce regulatory consequences.

3. The Two-Month Extension Option (And How to Use It)

Article 12.3 GDPR allows controllers to extend the response deadline by up to two additional months if the request is complex or if the controller receives numerous requests.

Critical Requirement: You must notify the data subject of the extension within the original 30-day period, explaining why the extension is necessary.

Action: If you receive a complex access request (e.g., 20 years of medical records, multiple systems, large volumes of data), send a formal extension notification within 25 days stating:

• "Due to the complexity and volume of data requested, we are extending our response deadline by [X] additional months under Article 12.3 GDPR"
• Provide a new estimated completion date
• Explain the specific reasons for the delay (e.g., "Your records span five hospital departments and require manual review to protect third-party privacy")

4. Public Authorities Have No Special Exemption

This case involved a regional government health department, confirming that public authorities are subject to exactly the same GDPR deadlines as private companies.

For Government Bodies: Spanish public health services, town councils, regional administrations, universities, and other public entities cannot claim administrative bureaucracy, budget constraints, or public service workload as excuses for GDPR non-compliance. The AEPD applies the same standards to governments as to businesses.

5. Healthcare Data Access Requests Require Special Care

Medical records access requests are among the most sensitive and complex GDPR matters.

Best Practices for Healthcare Providers:

• Centralise Requests: Designate a single department or Data Protection Officer to handle all patient access requests across all clinical departments
• Standardise Formats: Create a template "Patient Medical Records Package" that compiles:
  • Treatment history with dates and diagnoses
  • Medication records
  • Lab and imaging results
  • Consultation notes (with third-party names redacted if necessary)
  • Billing and insurance records
• Pre-Review for Third-Party Data: Medical records often contain information about family members, other patients, or healthcare professionals. Review records to protect third-party privacy before disclosure.

6. Ignoring Requests Triggers AEPD Intervention

The Health Department's silence forced the citizen to escalate the matter to the AEPD, consuming regulatory resources and creating an adversarial relationship.

Cost-Benefit Analysis: Responding to one access request takes 1-3 hours of staff time. Defending an AEPD investigation requires:

• Legal counsel
• Compliance team involvement
• Executive attention
• Formal written submissions to the regulator
• Reputational damage

Action: Always respond, even if the response is: "We have no data concerning you" or "We need additional information to verify your identity."

7. The "Formal Estimation" Precedent

This case introduces an important procedural concept: the AEPD can "formally estimate" (uphold) a complaint without ordering additional action if the controller belatedly complies during the investigation.

Strategic Implication: If you miss the deadline but then immediately provide the data when the AEPD contacts you, you avoid an enforcement order requiring further action. However, the AEPD still creates a permanent record that you violated the law, which could influence:

• Future sanctions if you have repeat violations
• Reputational consequences (resolutions are published)
• Evidence in civil lawsuits by the data subject

Action: The lesson is not "you can delay and catch up later," but rather "if you've already delayed, immediate compliance when contacted by the AEPD at least prevents escalation."

8. Tracking and Documentation Are Essential

How do you prove you responded within 30 days if a data subject claims you didn't?

Protocol: For every data subject rights request:

• Log Receipt: Email timestamp, registered mail receipt, or web form submission confirmation
• Track Processing: Internal notes showing who handled the request and when
• Proof of Delivery: Email delivery confirmation, registered mail tracking, or secure portal upload timestamp
• Retain Evidence: Keep copies of all correspondence for at least 3 years

9. Healthcare-Specific Deadlines and Exceptions

Spanish healthcare providers should be aware that access to medical records is also regulated by Law 41/2002 on Patient Autonomy, which grants patients a right to access their clinical history.

Coordination: When a patient requests their medical records, they may be exercising rights under both GDPR and Spanish healthcare law. Your response should satisfy both frameworks simultaneously by:

• Providing complete medical data (GDPR Article 15)
• Including clinical interpretation if requested (Law 41/2002)
• Responding within the shorter of the two deadlines

10. Create a Rights Request Response Template

Every organisation should have a standardised procedure and template for responding to access requests.

Sample Template Elements:

• Acknowledgment: "We received your request on [date] and will respond by [deadline date]"
• Identity Verification: "To protect your privacy, please confirm [security question] before we release your data"
• Data Package: Organised, clearly labeled documents with a cover letter explaining what's included
• Additional Information: Contact details if the data subject has questions or wants to exercise other rights (rectification, deletion, etc.)

Summary of Business Risk

This case establishes that responding late to GDPR access requests—even if you eventually provide the data—constitutes a formal violation that the AEPD will officially uphold. Public authorities and healthcare providers are subject to the same 30-day deadline as private companies, with no leniency for administrative complexity or budget constraints. Whilst the Madrid Health Department avoided an enforcement order by belatedly complying during the investigation, the AEPD's formal ruling against them creates a regulatory precedent that could influence future sanctions for repeat violations.