Within the regulations on data protection, interested parties have a series of rights that they can exercise before the person responsible for the processing of their personal data. These rights are included in the provisions of the Chapter II of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) and Section III of the European Data Protection Regulation (GDPR)Specifically, the interested party has the following rights, commonly known as ARSOPOL Rightsby its acronym:

  • Right of access: Right to contact the data controller to find out whether or not they are processing the data and under what terms. Intimately linked to the principle of information and transparency.
  • Right of Rectification: Right to have data that turns out to be inaccurate or incomplete modified without undue delay.
  • Right of Deletion: Right for an interested party to request the deletion of data when any of the cases contemplated in the regulation occur.
  • Right of Opposition: Right for the interested party to oppose the processing of their data in certain cases specified in the referenced articles.
  • Portability Right: Right to receive personal data, which has been provided by an interested party to a person responsible, and to transmit them to another person responsible for the treatment.
  • Right of Opposition: Right not to be subject to a decision based solely on automated processing.
  • Right of Limitation: Right to obtain the limitation of data processing when any condition provided for in the regulation is met.

Furthermore, the indicated rights are characterized by the following:

  • Your exercise is free
  • If the requests are manifestly unfounded or excessive (e.g. repetitive nature) the controller may:
    • Charge a fee proportional to the administrative costs incurred
    • refuse to act
  • Requests must be responded to in the period of one monthalthough, if the complexity and number of requests are taken into account, the deadline can be extended for another two months.
  • The controller is obliged to inform the interested party about the means to exercise these rights. These means must be accessible and this right cannot be denied for the sole reason that another means is chosen.
  • If the request is submitted by electronic means, the information will be provided by these means when possible, unless the interested party requests it to be otherwise.
  • If the person responsible does not follow through on the request, they will inform, within one month at the latest, of the reasons for their failure to act and the possibility of complaining to a Control Authority.
  • The interested party can exercise the rights directly through their legal or voluntary representative.

But what happens if an entity does not attend to an interested party’s exercise of right?

In this case, the entity may face financial sanctions from the control authority, as occurs in the resolution of the Spanish Data Protection Agency (AEPD) that we are going to analyze in this article, PS 00522-2023;

The interested party files a claim with the AEPD alleging the following:

In the statement of claim presented by the claimant it is stated that, on 01/27/23, he sent an email to the claimed party in which he requested to exercise his right to delete all his personal data that was in the claimed party’s systems to that they would not send him any more commercial communications and on 01/30/23 he received the acknowledgment of receipt indicating that “they are going to pass it on to the responsible personnel.”

On 04/23/23, the claimant again sends an email to the claimed party reminding that they have not yet deleted their personal data since they still have access to the system with their data and passwords, answering that the deletion of their data will be carried out. immediately, but despite this, you receive two more advertising emails on 06/21/23 and 07/01/23. On 08/03/23, in response to the request made by the AEPD, the claimed party states that the entity was in a transition period from one web platform to another when the events occurred and that, during this process of migration, an unexpected situation occurred that resulted in the crossing of some data from old clients, being an isolated incident for which they apologized and guaranteed that this situation would not occur again in the future since they had put in place the necessary technical means for this.

In parallel with the above, the claimant receives, dated 07/26/23, an email from the claimed party in which they apologize for the errors made and assure him that they have definitively deleted all his personal data from his mailing lists. However, on 08/11/23, the claimant once again receives a new advertising email from the address of the claimed entity.

In response to what happened, the claimed entity alleges that the error that occurred in its systems resulted in it not completely deleting all the broadcast lists associated with its account, despite the fact that the interested party expressly requested its deletion. They acknowledge that this was a failure on their part and indicate that they have carefully reviewed their processes to ensure it is not repeated in the future.

Despite apologies and acknowledgment, The control authority (AEPD) has deemed it appropriate to proceed with the sanction of the claimed entity, since it understands that it has been confirmed that the complaining party requested the deletion of his personal data on two occasions. The first on 01/27/23, and the second on 04/23/23, receiving in both cases the corresponding acknowledgment of receipt from the claimed party. Therefore, it is considered that the complaining party initially requested the deletion of his personal data on up to two occasions, a request that was not attended to, since even, After having declared before the AEPD that the complainant’s personal data had been deleted, they were used again to send him a new advertising email, so these facts constitute an infringementattributable to the claimed party for violation of article 17 of the RGPD.

In this case, considering the seriousness of the infraction found, paying special attention to the consequences that its commission causes in the complaining party, the imposition of a fine is appropriate, in addition to the adoption of measures, where appropriate, also considering the factors exposed, the assessment The initial fine for violating article 17 of the GDPR is 10,000 euros. The reduction for the voluntary payment of the penalty can be applied to this final amount and is cumulative with the one that corresponds to the recognition of responsibility, provided that this recognition of responsibility is made evident within the period granted to formulate allegations to the opening of the procedure. Voluntary payment with a 20% reduction in the penalty (ultimately €8,000) may be made at any time prior to the resolution. In this case, if both reductions were to be applied (both voluntary payment and recognition of responsibility), the amount of the penalty would be established in 6,000 euros.

After the resolution, The claimed entity proceeds to pay the penalty in the amount of 6,000 euros, making use of the two reductions provided for in the initiation Agreement explained in the previous paragraph.which implies the recognition of responsibility and the waiver of any administrative action or appeal against the sanction.

Finally, I do not want to miss the opportunity to give a series of guidelines from different points of view on the matter that is the subject of this article.

As we have seen throughout the article, if you are interested affected by non-attention or incomplete/incorrect attention to an exercise of rights in terms of data protection, you have the control authority (AEPD) at your disposal to be able to file a claim in this regard, always relying on evidence as we have seen in the present case. Likewise, as a citizen you have a Citizen’s Guide on data protection created by the AEPD that can be very helpful to you.

Otherwise, if you are reading this article and You are an entity that wants to comply with data protection regulations, Regarding the exercise of rights and to avoid a sanction like the one we have analyzed in this publication, I advise you to follow the following tips;

  • It has an internal procedure that details how to handle the exercise of rights of interested parties, in this way all the entity’s staff will know how to do it correctly.
  • Establish an email for this purpose, to have these requests centralized and so that a person who is an expert in data protection matters (such as the data protection officer) can manage all requests.
  • Check the identity of the applicants, we must ensure that the person requesting the exercise of the right is who they say they are, always without asking for disproportionate data (for example, if I have not requested the DNI at the beginning of the contractual relationship, I should not to request you to attend to this exercise of rights). Do not forget that you can also exercise a right of access through a legal or voluntary representative.
  • Respond to the interested party by indicating the deadlines that the entity has so that they understand that you are reviewing their request. Remember that as a general rule you have one month from receiving the exercise of rights.
  • Make sure that you have correctly attended to the request before giving the final response to the interested party, this way it will not happen to you like the entity that we have seen in this article and you will avoid a sanction.
  • Give the final response, making a response based on law regarding the resolution or not of the exercise of rights that has been requested of you. If, as the person responsible, you do not process the request, report within one month at the latest the reasons for your failure to act and the possibility of complaining to a Control Authority.
Tags: , , , , , , , ,
Categories: