New statement from the Superintendence for the Protection of Personal Data (SPDP) on the relationship in the processing of personal data between Insurance Companies and Healthcare Facilities

In the exercise of the powers granted to it by the Organic Law on the Protection of Personal Data (“LOPDP”), and through a non-binding opinion that does not generate general legal effects, the Superintendence for the Protection of Personal Data (“SPDP”), through Official Communication No. SPDP-IRD-2025-0090-O, issued a response to the following inquiry:

“Should insurance companies be considered Data Processors under the provisions of Article 34 of the Organic Law on the Protection of Personal Data when they access patient information collected and transmitted by a Healthcare Facility, if such transmission is made on behalf of and at the request of the insured patients, that is, without any contractual relationship between the facility and the insurer?”

In response to this inquiry, the Superintendence for the Protection of Personal Data (“SPDP”) stated the following:

Regarding this matter, the SPDP expressed the following:

Insurance companies and/or insurance brokers and advisors that receive information from a healthcare facility do so in their capacity as recipients of the data subjects’ personal data.
However, when these companies use that information for purposes related to their own line of business — that is, if they process the data for their own purposes — they assume the role of data controllers.

Statements like this help to generate greater legal certainty and operational clarity for the actors involved in the processing of personal data—especially in highly regulated sectors such as healthcare and insurance.

By defining the responsibilities of insurance companies regarding the data they receive and process, regulatory compliance is facilitated, transparency is promoted in the relationships between healthcare facilities, insurers, and patients, and data protection principles are reinforced for the benefit of data subjects.

At BUSTAMANTE FABARA, we will continue to promote specialized analysis on the practical application of these regulatory frameworks and their implications for the various regulated sectors.

If you require additional information, please contact us at the following email addresses:

Dr. María Rosa Fabara: mrfabara@bustamantefabara.com

Esteban Dávila: edavila@bustamantefabara.com

New statement from the Superintendence for the Protection of Personal Data (SPDP) on the relationship in the processing of personal data between Insurance Companies and Healthcare Facilities

Más publicaciones

Reforms to the Organic Law of the National Public Procurement System Introduced by the Organic Law on Public Integrity (LOIP)

New statement from the Superintendence for the Protection of Personal Data (SPDP) on the relationship in the processing of personal data between Insurance Companies and Healthcare Facilities

Rules for the application of the remission of interest, fines, costs, and surcharges derived from taxes administered and collected by the Internal Revenue Service, as outlined in the Thirteenth Transitory Provision of the Organic Law of Public Integrity

© Copyright 2024 BUSTAMANTE FABARA. All rights reserved I

Privacy Policy

Follow us: