Pharmacy data processing under scrutiny

Recent resolutions from the Spanish Data Protection Agency (Agencia Española de Protección de Datos or AEPD) have drawn attention to the way in which pharmacies handle sensitive health-related personal data. These findings reveal recurring challenges in complying with both the EU General Data Protection Regulation —Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data or GDPR— and the Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights. Two significant resolutions demonstrate how multiple privacy violations, including insufficient legal bases and inadequate technical measures, can result in substantial administrative fines and corrective orders.

Legal framework

To understand the regulatory framework underlying the decisions issued by the AEPD, the following GDPR provisions are particularly relevant:

• Article 6 GDPR: establishes the lawful bases for data processing. All data processing activities require a lawful basis, which can include—but is not limited to—consent, compliance with a legal obligation, performance of a contract, and legitimate interests.
• Article 9 GDPR: governs the processing of health data, which is classified as sensitive data category under the regulation. This article generally prohibits the processing of sensitive data, unless an exception applies. These exceptions can include explicit consent, medical or health-related necessity under legal requirements, or substantial public interest. The primary goal of this article is to ensure enhanced protection due to the sensitive nature of health data. As healthcare-related establishments, pharmacies assume a particularly demanding obligation to protect privacy, given the sensitive nature and volume of data processed.
• Article 13 and 14 GDPR: require data controllers to provide individuals with transparent and accessible information regarding the processing of their personal data. Whether the data is obtained directly from the individual (Article 13) or indirectly from third parties (Article 14), the information provided must include details such as the purpose of the processing, the lawful basis and the intended recipients. This ensures that data subjects are adequately informed and able to exercise their rights more effectively.
• Article 32 GDPR: focuses on the security of personal data processing. It requires controllers and processors to implement appropriate technical and organisational measures to protect the confidentiality, integrity and availability of data. These measures must consider the state of technology, the risks to individuals' rights and freedoms, the implementation costs, and the specific circumstances of the processing activities. Security measures are not static, but must be assessed dynamically based on the unique risk profile of each scenario.

Overview of AEPD’s resolutions

Although both resolutions are based on the same factual background —namely, the unauthorised or insufficiently safeguarded processing of patients’ health data— each one identifies the specific legal articles that have been infringed and imposes administrative sanctions based on the particular circumstances of each case.

The first resolution, issued on March 27, 2025 (EXP202313747, PS-00187-2025), focuses on inadequate practices relating to the collection and storage of health-related data. This includes National Health Service identification numbers, medication details and other medical information relating to numerous patients. This data was handled using Excel files shared via email without providing the necessary information to data subjects regarding processing, nor was valid consent obtained —or any other lawful basis under the GDPR— to legitimise this operation.

The AEPD identified several infringements, including breaches of the transparency obligations under Article 13 GDPR and the unauthorised collection of sensitive data categories contrary to Article 9 GDPR. The Agency also found that the pharmacy had not taken sufficient measures to ensure data confidentiality, as mandated under Article 32 GDPR. This was because the pharmacy stored files containing sensitive information on the desktops of computers located on the pharmacy’s public counters. This setup allowed customers to have visual access to the computer screens at all times. The pharmacy acknowledged the lack of adequate safeguards, including the use of a single password shared by all employees and the absence of proper physical and digital access controls. Although basic security practices such as backing up data were mentioned, the overall security measures fell far short of ensuring the confidentiality, integrity and availability of personal data as required by the GDPR.

The AEPD responded by issuing a fine of €16,000, later reduced to €9,600 as the pharmacy accepted responsibility and opted for voluntary payment. The Agency also ordered the pharmacy to adopt corrective measures to address the violations, including the deletion or effective protection of existing files, and compliance with GDPR requirements regarding transparency and the lawful basis for processing health data.

The second resolution, issued on April 12, 2025 (EXP202414356, PS-00177-2025), similarly addresses the processing of health data. In this case, it involved dispensing products to nursing home residents. The pharmacy obtained users’ personal data without a valid contract, consent or any other lawful basis. Consequently, the AEPD identified an absence of legal grounds for processing, in violation of Article 6 GDPR, as well as a complete infringement of the transparency obligations under Article 14 GDPR.

Similarly to the previous resolution, the AEPD reported inadequate security measures as required under Article 32 of the GDPR. The pharmacy was sending patient data by email without proper encryption or securing these transmissions through appropriate procedures.

As in the first resolution, the Agency imposed a fine of €11,000, later reduced to €6,600 after the pharmacy acknowledged responsibility. Alongside the monetary sanction, the AEPD required the cessation of processing activities lacking a lawful basis, as well as the erasure of the data or, alternatively, the regularisation of processing operations by complying with the GDPR's transparency and confidentiality principles.

In conclusion, the AEPD's rulings reaffirm that the Spanish data protection authority demands a rigorous standard of care in handling medical data due to its considerable sensitivity. Pharmacies must not only rely on statutory exceptions to process personal health data, but also demonstrate that data processing is strictly limited and legally justified, and supplemented by transparent notices. All technical and organisational measures implemented must reflect the heightened sensitivity of health-related information and address the risks of unauthorised access or disclosure. Failure to comply with these obligations may result in stringent sanctions accompanied by corrective orders mandating full alignment with legal requirements.