Do dental clinics have the need to appoint a Data Protection Officer (DPO)?
In a short time, it will be a year since the General Data Protection Regulation (RGPD) that was a before and after in the processing of personal data that are carried out in the European Union. The truth is, at least for once, Our country had very advanced and demanding legislation on this matter, so adaptation to the new regulation is being easier than for other countries in our environment.
In any case, we have also had to adapt to the new regulations, yes, maybe with less effort, since there have been important changes, that we will discuss in other articles and new figures have been introduced such as the protagonist of this post, the Data Protection Delegate, better known as DPO (Data Protection Officer).
How could we define a DPO? A DPO is a data protection specialist, who must have specialized knowledge in law and practice in the matter. The DPO functions, we could summarize them in:
- Inform and advise the person in charge or in charge of the treatment of the scope of the data protection regulations.
- Supervise compliance with data protection legislation and the policies on this matter that the person in charge or in charge of the processing of personal data has, as well as the
assignment of responsibilities, awareness, training of personnel who process personal data and carrying out the necessary audits. - Advise on the performance of the Impact Assessment related to data protection and supervise its application.
- Cooperate with the Spanish Agency for Data Protection and the regional agencies.
After knowing what a DPO is and what their functions are in the organization, perhaps the most important question remains to be answered When is it necessary to appoint a Data Protection Officer? After approval of the GDPR, it was not clear when a DPO should be appointed, three assumptions were pointed out that were very open, as, for example, the large-scale processing of special categories of personal data. A special category of personal data is health, dental clinics treat special data, but do they do it on a large scale?, What do we mean by large scale? Can we understand on a large scale the data processed by a dental clinic in a town where there are no more clinics? (this clinic could treat all or a large part of the personal data of the inhabitants of that locality).
Has been the new Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD) approved last December, the one that has shed some light on this issue, pointing at his Article 34, When should a Data Protection Officer be appointed. Specific, this article in its letter l) indicates that they should appoint a DPO "health centers legally obliged to maintain the medical records of patients”Except from this obligation to“health professionals who, even though they are legally obliged to maintain the medical records of patients, they exercise their activity individually ". further, This article obliges the data controllers and managers to notify the Spanish Data Protection Agency of the appointment of the DPO.
So, the LOPDGDD, has made it clear that dental clinics are obliged to appoint a Data Protection Officer, unless the clinic is run by an individual entrepreneur. We then come to the conclusion that if the dental clinic is supported by a company in any of its commercial forms (S.L., S.L.P., etc..) you have the obligation to appoint a DPO, there is no alternative.
Can I appoint my clinic staff as DPO? The answer to this question is determined by the characteristics that a DPO must meet, indicated at the beginning of this article in the sense that a Data Protection Delegate, must have specialized knowledge in law and practice in the matter. If the person in our clinic we are considering to play the role of DPO does not meet these characteristics, Better not do it since the Spanish Agency for Data Protection can verify this and could even sanction you.
By last, point, that the Data Protection Delegates can be natural persons or legal persons such as, Delyser Abogados S.L.P., with proven ability to perform the role of DPO, task that he currently develops for different companies and organizations.
Our office can help you, do not hesitate to contact us.