Traceability of access to health data: the AEPD anticipates the EHDS standard

2026-07-13T09:55:00
Spain European Union
The right to access the identity of those who consult medical records
Traceability of access to health data: the AEPD anticipates the EHDS standard
July 13, 2026

The Spanish Data Protection Agency (AEPD) has published decision PD-00068-2026, concerning a request for access to a medical record that included the identification of the individuals who had consulted the data. The decision is accompanied by an AEPD publication setting out its legal criteria, which places the case in the context of recent case law and Regulation (EU) 2025/327 on the European Health Data Space (EHDS).

The main development is that the AEPD uses the EHDS as an interpretative criterion for Article 15 of the General Data Protection Regulation (GDPR). Although the European sector-specific framework is not yet applicable under its transitional timetable, the Agency considers that it introduces an enhanced transparency standard that should be taken into account when interpreting the right of access in the healthcare context.

Background to the complaint

The complaint was lodged by an individual who, in June 2022, had requested access to their data from the Regional Health Unit of the Madrid Higher Police Headquarters. The request was submitted again through the official registry on 17 May and 6 September 2025, in both cases covering the entirety of their medical record and the medical documentation held by the health services.

In the course of the proceedings, the Headquarters stated that it had shown the complainant the medical record, comprising 153 documents, and had provided copies of all of them on 24 September 2025. The data subject acknowledged receipt of the documents but maintained that the response remained incomplete because it did not include the access traceability information or the identity of the individuals who had consulted their personal interview and medical record.

The dispute therefore ceased to concern the delivery of the medical record and instead focused on the scope of the right of access in relation to consultation logs. The AEPD also recalled that the controller must respond to requests to exercise rights within a maximum of one month and bears the burden of demonstrating that it has complied with that obligation.

The starting point: Article 15 GDPR and the CJEU's case law

The Agency begins with the interpretation set out in the judgment of the Court of Justice of the European Union of 22 June 2023 in Case C-579/21. In that case, the CJEU held that the right of access includes information about operations involving consultation of the data, including their dates and purposes. However, it stated that Article 15 GDPR does not, as a general rule, require disclosure of the identity of the controller's employees who carried out those consultations under its authority and in accordance with its instructions.

The identity of individual employees may be disclosed where this is essential to enable the data subject to exercise effectively the rights conferred by the GDPR, provided that the rights and freedoms of those employees are also taken into account. This case law explains the AEPD's traditional position: the information could be provided by reference to categories of recipients, without automatically identifying every person within the organisation who had accessed the data.

The publication setting out the legal criteria adds that Spanish Supreme Court judgment no. 789/2026 of 24 June 2026 confirms this approach under the legal framework predating the full application of the EHDS. According to the AEPD's summary, there is no general and unconditional right to know the identity of each employee where internal protocols make it possible to verify that the consultations were carried out in accordance with the controller's instructions.

The EHDS as a criterion for strengthening transparency

From that point, the decision incorporates the EHDS Regulation into the interpretation of the right of access. Article 9 recognises the right of natural persons to obtain information, including through automatic notifications, about any access to their personal electronic health data made through the health professional access service in the context of healthcare.

The information must be provided free of charge and without delay through the electronic health data access services and remain available for at least three years following each access. At a minimum, it must identify the healthcare provider or any other person who accessed the data, the date and time of access, and the electronic health data accessed.

The same provision allows Member States to impose restrictions in exceptional circumstances where there are specific indications that disclosure would endanger the rights or vital interests of the health professional or the care provided to the natural person. The EHDS therefore makes transparency the rule and restrictions an exception tied to specific circumstances.

On that basis, the AEPD concludes that the interpretation most consistent with the evolution of EU law requires that, as a general rule in the healthcare sector, access to traceability information should include the identification of the persons who consulted the data where this is necessary to ensure transparency and effective oversight of the lawfulness of the processing. A general and automatic withholding of their identities would be incompatible with the enhanced standard described in the decision.

A right subject to limits, but not to automatic exclusions

The decision does not present this right of access as absolute. Disclosure of identity may be restricted where an applicable legal provision so provides or where a specific balancing exercise shows that disclosure is disproportionate or unnecessary for oversight purposes. In those cases, the controller must substantiate and document the restriction in accordance with the accountability principle.

In the case examined, the Madrid Higher Police Headquarters had neither disclosed the identity of those who accessed the data nor justified a refusal by reference to specific circumstances. The AEPD upheld the complaint for infringement of Article 15 GDPR and ordered it, within ten working days, to submit certification showing that it had granted the requested access or, alternatively, to provide a reasoned refusal in accordance with the criteria set out in the decision. This was a data subject rights enforcement procedure, and the decision did not impose a fine.

A necessary clarification on the application timetable

Both the decision and the AEPD publication refer to 26 March 2027 as the date from which the right under Article 9 of the EHDS would become applicable. It should be clarified, however, that Article 105 of the Regulation establishes a phased timetable: although the Regulation applies generally from 26 March 2027, Articles 3 to 15—including Article 9—apply from 26 March 2029 in respect of the priority categories in Article 14(1)(a), (b) and (c), and from 26 March 2031 in respect of the categories in points (d), (e) and (f).

This timing clarification does not alter the central reasoning of the decision: the AEPD does not apply Article 9 directly to the case, but uses it as an interpretative element reflecting the evolution of EU law. It does, however, make it possible to distinguish between the EHDS's current value as an interpretative reference and the future application of its obligations on the specific dates laid down in Article 105.

Implications for healthcare organisations

The criteria published by the AEPD rule out responding to traceability requests with a generic refusal based solely on the fact that the individuals who accessed the data are employees of the controller. In the healthcare context, the controller must assess whether identification is necessary to enable the data subject to verify the lawfulness of the processing and, if it decides to restrict disclosure, must explain the specific circumstances and document the balancing exercise carried out.

The decision also confirms that providing a complete copy of the medical record does not necessarily exhaust the right of access. Where the request includes information about consultations of the data, the response must address that aspect or properly justify a total or partial refusal. The general one-month time limit and the controller's burden of demonstrating that it has complied with the request remain fully applicable.

This development forms part of the evolution of the EHDS, which we have previously analysed in Regulation on the European Health Data Space, EHDS FAQs: Operational and Governance Perspectives and Towards the digitalisation of healthcare, on the forthcoming Spanish Digital Health Act and the need to ensure common traceability standards.

In short, the AEPD retains the balancing exercise required by the GDPR and CJEU case law, but changes the starting point in the healthcare context: the identity of those who access the data should not be withheld automatically, and any restriction must be framed as a specific, reasoned and documented exception.

For more information, please contact our specialists through the Knowledge and Innovation Area.

July 13, 2026