European General Data Protection Regulation
The EU Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27th, 2016, on the protection of natural persons with regard to the processing of personal data and the free circulation of these data and repealing Directive 95/46 / EC (General Data Protection Regulation) came into force on May 25th, 2018.
Compliance with the European General Data Protection Regulation (GDPR) requires the design and implementation of a series of measures, rules of action, forms, clauses and procedures to comply with each and every one of the guarantees that the GDPR establishes to protect the privacy and other fundamental rights of citizens.
Each data processing will depend, among other things, on the origin of the data, the type of data, the characteristics of the treatment and the type of facilities and media in which the said data are stored.
During the last weeks, we have received a bunch of information regarding the entry into force of the GDPR. In this regard, our email addresses have been the subject of many emails that have flooded our mailboxes to notify updates of the Privacy Policies which have been adapted to the new requirements of the European regulations.
This blog entry directs its ATTENTION TO THE RIGHTS OF CITIZENS, the holders of the data that is treated by others, and the different rights that they are entitled to:
Right of access. Individuals have the right to request and obtain information of their personal data submitted to processing, as well as the origin of the said data, and the communications made or that are expected to be made out of them.
It may be exercised at 12-month intervals without the need for the owner of the personal data to claim any justification, or at lower periods when a legitimate interest is invoked.
The information provided will include the basic data of the affected person and those resulting from any processing or computing process, as well as the origin of the data, the assignee thereof, and the specification of the specific uses and purposes for which the data was stored. The request must be resolved within a month of its receipt and it should be satisfied within ten days from the notification of the resolution.
Right to rectification. Individuals should be provided with updated data if it is inaccurate or incomplete. The owner is required to indicate the information that is incorrect and the correction that must be made and must be accompanied by the documentation justifying the rectification requested, unless it depends exclusively on the consent of the interested party. The rectification must be effective within a period of ten days.
Right of deletion. To delete individuals´ data if it is inaccurate or it has been treated illegally. It requires to indicate if it revokes the consent granted, in cases in which the revocation proceeds, or if, on the contrary, it is an erroneous or inaccurate information, in which case it must accompany the supporting documentation. The cancellation must be attended within a period of ten days. This will lead to the blocking of the data, when it is necessary to keep these only available to the Public Administrations, Judges and Courts, for the attention of the possible responsibilities arising from the treatment, during the term of prescription of these. Once the aforementioned deadline has been met, the deletion must be made.
If the data to be rectified or canceled had previously been transferred to a third party, the person responsible for the file will notify the assignee of the rectification or cancellation made.
Right of opposition; to request your data not to be processed. When a data has been treated without the consent of the owner, whenever a regulation does not provide otherwise, may oppose its treatment when there are legitimate and legitimate reasons related to a specific personal situation. In such case, the person responsible for the file will exclude the data related to the affected party from the treatment. In the case of data obtained from sources accessible to the public, the owner of personal data shall have the right to object, upon request and without charge, to the processing of data concerning him, in which case they shall be discharged from the processing, canceling the information that appears on it, at your simple request.
There is an obligation to answer the applicant even if their data are not included and must be done by means that allow to prove the sending and receiving of the notification.
The rights of access, opposition to treatment, rectification and deletion are not absolute. The person responsible for the file or treatment may deny them when there is a legal reason for doing so, such as when the access right has been exercised in the last twelve months and no legitimate interest is claimed or when there is a legal duty of preservation in the case of cancellation. In the same way, the existence of a legal relationship that legitimates the treatment could entitle to deny a cancellation when the preservation of the data is necessary for the fulfillment of the contractual obligations. In case of refusal, the person in charge of the file will inform the affected party of their right to seek the protection of the Spanish Data Protection Agency.
In the GDPR, arts. 15 and subsequent, in the PLOPD, art. 12 to 18, the right of portability is reflected (Article 20 GDPR, 17 PLOPD), as the right to request from the responsible person the data that it has of a holder to deliver them to a new responsible person or that it is transmitted from one to other.
The right to challenge valuations; individuals can challenge acts that involve assessment of their behavior and have legal implications on the sole basis of a treatment of personal data that includes definition of their characteristics or personality (Article 22 GDPR).
It constitutes a serious infraction, the impediment or obstruction of the exercise of the rights of access and opposition and the refusal to provide the information that is requested. The circumstance of not attending or systematically impeding the exercise of the rights of access, rectification, suppression or opposition can also be considered as a very serious infraction.