Compliance Overview
obeliOmed is designed for use in Spanish healthcare clinics and must comply with the following regulatory frameworks. This section documents how the system addresses each requirement.
Applicable regulations
| Regulation | Scope | Key requirement |
|---|---|---|
| RGPD (EU 2016/679) | Data protection — all patient data | Lawful basis, data subject rights, 72h breach notification |
| LOPDGDD (LO 3/2018) | Spanish GDPR implementation | Supervisory authority: AEPD |
| Ley 41/2002 | Patient autonomy and informed consent | Written consent before procedures; patients can revoke |
| LO 1/1996 + LO 8/2021 | Minors protection | Best interest standard; guardian consent for under-16 |
| Real Decreto 1720/2007 | Medical data security levels | High-security level for health data |
Audit trail requirements
All clinically significant actions are logged in ObelioAudit with a minimum retention of 10 years (regulatory requirement — this value is NOT configurable per ADR-034).
Events that must be audited (non-exhaustive):
- Patient data created, updated, accessed, deleted
- Informed consent signed, revoked, updated
- Clinical documents created, signed, accessed
- Appointment created, confirmed, cancelled, no-show
- Surgery session opened, closed, outcome recorded
- User login, logout, failed authentication
- Settings changes (who changed what, from/to values)
- Data export or bulk access
Patient rights (RGPD Art. 15-22)
obeliOmed must support the following patient rights on request:
| Right | How obeliOmed supports it |
|---|---|
| Access (Art. 15) | Patient record export in ObelioDocs |
| Rectification (Art. 16) | Edit patient data with audit trail |
| Erasure (Art. 17) | Pseudonymisation with medical record retention |
| Portability (Art. 20) | Export in standard format (JSON/PDF) |
| Restriction (Art. 18) | Flag patient record as restricted |
| Objection (Art. 21) | Documented via ObelioConsents |
:::caution Medical records cannot be deleted Health records must be retained for a minimum of 5 years (Ley 41/2002) or 10 years for surgical records. RGPD erasure right does not override this obligation. Erasure is implemented as pseudonymisation (personal identifiers removed, clinical data retained). :::
Informed consent (Ley 41/2002)
All informed consents must be:
- Written (electronic signature is acceptable under Ley 6/2020)
- Stored with the patient record (ObelioConsents)
- Revocable at any time by the patient (or guardian)
- Retained for the lifetime of the clinical record
Minors and legally incapacitated patients require guardian consent (see ADR-035).
Security disclosure
Found a vulnerability? See our Security Disclosure Policy.