1. Right to information.
If personal data are to be registered and processed, it will be necessary to inform the interested parties in advance, through the means used for the collection, in an express, precise and unequivocal way:
The existence of a file or processing of personal data, the purpose of collecting these and the recipients of the information.
Of the mandatory or optional nature of their response to the questions that are posed to them.
Of the consequences of obtaining the data or of the refusal to supply them.
The possibility of exercising the rights of access, rectification, cancellation and opposition.
Of the identity and address of the person responsible for the treatment or, where appropriate, their representative.
When questionnaires or other forms are used for the collection, the aforementioned warnings will appear in them, in a clearly legible form. In folder 4.2. Consent clauses and circulars are the models of informed consent clauses.
2. Right of access.
Through their right of access, citizens can control the use made of their personal data by themselves. In particular, you will have the right to obtain information on whether these are being processed, the purpose thereof, as well as the information available on the origin of said data and the communications made or planned thereof. Its exercise is very personal, so it can only be requested by the interested person, who must go to the company of which he knows or presumes that he has your data, being able to choose to view them directly on the screen or obtain them by means of writing, copy, photocopy or any other system suitable for the type of file in question.
The person responsible for the file must decide on the request within a month from the receipt of the request. You must also do so even if you do not have data on the affected person. If after this period has elapsed, the request has not been adequately addressed, the interested party may contact the Spanish Data Protection Agency (AEPD) with a copy of the request made and the answer received (if any), so that this in turn go to the designated office in order to exercise that right.
The right of access cannot be exercised in intervals of less than 12 months, unless a legitimate interest is proven.
3. Right of rectification.
Through this right, citizens can defend their privacy by controlling the use made of their personal data by themselves. In particular, you will have the right to have these modified when they are inaccurate or incomplete.
Its exercise is very personal, so it can only be requested by the interested person, who must contact the company of which they know or presume that they have their data, indicating what data they refer to and the correction requested, and providing the supporting documentation.
The person responsible for the file must decide on the request within a maximum period of ten days from the receipt of the request. You must also do so even if you do not have data on the affected person. Once the period has elapsed without expressly responding to the request or it being unsatisfactory, the interested party may file the corresponding guardianship claim with the AEPD, accompanying the supporting documentation of having requested the rectification of data before the entity in question.
The cancellation will lead to the blocking of the data, being kept only at the disposal of the Public Administrations, Judges and Courts, for the attention of possible responsibilities arising from the treatment, during the prescription period of these.
4. Right of opposition.
The right of opposition is the right of the citizen not to carry out the treatment of these or to cease it when their consent for the treatment is not necessary, due to the concurrence of a legitimate and well-founded reason, referred to their specific personal situation, which justifies it, and provided that a Law does not provide otherwise.
Its exercise is also very personal, so it can only be done by the interested person through a request addressed to the person responsible for the treatment, in which the well-founded and legitimate reasons that justify it must be stated.
The person responsible for the file or treatment, within a maximum period of ten days from the receipt of the request, must decide on it, excluding the data relating to the affected person from the treatment or justly denying it. You must also do so even if you do not have data on the affected person. Once the period has elapsed without expressly responding to the request or it is unsatisfactory, the interested party may file the corresponding guardianship claim with the AEPD, accompanying the supporting documentation of having requested the opposition before the entity in question.
5. Right to data portability
Recital 68 of the RGPD establishes the raison d’être of this new right that seeks to “further strengthen the control over their own data” of the interested party. It has a double scope:
Right to receive your data in a structured, commonly used, machine readable and interoperable format.
Right to demand that the controller transmit them to another controller.
The logical assumptions for this right to operate are the following:
That the processing of personal data is carried out by automated means
That the interested party had previously provided the personal data that concerns the person responsible for the treatment by giving their consent or
When the treatment is necessary for the execution of a contract.
From the point of view of its content, it is necessary to clarify two aspects of undeniable importance in practice:
Deliver the data in structured, commonly used and machine readable format.
It is an imprecise “minimum obligation”, although we understand that it may refer to the fact that the data is included in an automated file in the sense that article 4.6 RGPD gives it (“all structured set of personal data, accessible according to certain criteria, whether centralized, decentralized or distributed in a functional or geographical way ”). It is understood that the true foundation of this requirement is that the data be arranged in a structured and logical way, regardless of the criteria used by the person in charge to satisfy such right. In other words, it is intended that the user can easily identify what personal data is being processed by the person in charge once they are handed over to them.
On the other hand, if we take into account that the law should not oblige the person in charge to adopt systems technically, the obligation to deliver the data in a common format would be distorted to the extent that it is not forced to use compatible systems. It is also not clarified whether, in the case of managers who use various information and treatment systems, they must transform the data from one format to another (for example, non-interoperable CRMs, MySQL vs MONGO DB databases; local thunderbird mail managers vs cloud managers, etc).
In any case, a simple, logical and advisable system would be to provide the data following a chronological or alphabetical order or according to criteria of storage formats or pursued purposes.
Receive or transmit the data and transmission from responsible to responsible.
While the right to receive personal data from the controller is not restricted, the transfer from controller to controller is subject to the fact that “it is technically possible”. The circumstances that can affect what is “technically possible” are innumerable: problems in the network, equipment, electrical supply, etc. Compliance with this right from this dual perspective must be carried out in strict compliance with the information security obligations imposed by the RGPD, that is, the way in which the information is transmitted must guarantee that the data does not They are destroyed, altered or accessed in a manner or authorized.
6. Right to erasure (“right to be forgotten”)
The right to delete data or the right to be forgotten is established in article 17 of the RGPD as one of those new rights that has crystallized in binding regulations after jurisprudential clarifications (essentially STJUE of May 13, 2014, case C-131/212 , Mario Costeja and AEPD vs Google). The main objective and rationale for this right is to reinforce the rights of access, rectification, cancellation and opposition of personal data in the face of technological advances in the framework of the reform of European data protection regulations, and in observance of the essential principles of data protection: quality, purpose, proportionality (linked to data minimization) and legality (linked to the principle of consent and revocation).
The interested party shall have the right to obtain without undue delay from the data controller the deletion of the personal data concerning him, who shall be obliged to delete the personal data without undue delay when any of the following circumstances occurs:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the interested party withdraws the consent on which the treatment is based;
the interested party opposes the treatment and other legitimate reasons for the treatment do not prevail, or the interested party opposes the treatment when it is aimed at direct marketing;
the personal data has been unlawfully processed;
personal data must be deleted to comply with a legal obligation;
personal data of minors have been obtained illegally (art. 8 RGPD).
7. Right not to be subject to automated individual decisions.
Article 22.1º RGPD establishes that every interested party shall have the right not to be the subject of a decision based solely on automated processing, including profiling, that produces legal effects on it or significantly affects it in a similar way. This is a different type of right from the one already enshrined in article 13 of the LOPD, relating to the challenge of valuations.
In short, it is the prohibition imposed on the controller to make a decision based solely on automated processing, applying even when the interested party does not exercise their right. By automated should be understood those data processing without human intervention in the decision-making process. And, by human intervention, we mean a relevant participation, with a real influence on the decision that is made. However, both the prohibition and the right of the interested party have exceptions provided for in the RGPD, such as the express authorization of Union or Member State law applicable to the controller, for example for the purposes of control and prevention of fraud and tax evasion.
8. Right to limitation of treatment.
Article 18 contemplates a right of the interested party to obtain from the controller the limitation of said treatment when some of the following assumptions are met:
The interested party challenges the accuracy of the personal data, for a period that allows the person responsible to verify the accuracy of the same;
The treatment is illegal and the interested party opposes the deletion of the personal data and requests instead the limitation of its use;
The person in charge no longer needs the personal data for the purposes of the treatment, but the interested party needs them for the formulation, exercise or defense of claims;
The interested party has opposed the treatment while it is verified if the legitimate reasons of the person in charge prevail over those of the interested party.