Personal Data Subject Rights
The law establishes specific and enforceable rights for data subjects. Controllers must implement procedures to handle requests within established timeframes.
Enforceable Rights
Rights are directly enforceable against the data controller. Their exercise cannot be conditioned on payment of fees. The general response period is 15 business days, extendable by an additional 15 business days.
Right of Access
Obtain confirmation about processing and access personal data.
Information to Provide
- Data processed and purposes
- Data recipients
- Retention period
- Available rights
Right to Rectification
Correct inaccurate, outdated or incomplete data.
Application
- Inaccurate or erroneous data
- Outdated information
- Incomplete data
Obligations
- Immediate correction
- Notification to recipients
Right to Erasure
Delete data when its necessity for processing purposes ceases.
Grounds
- Unnecessary data
- Withdrawal of consent
- Unlawful processing
- Legal obligation to delete
Limitations
- Freedom of expression
- Legal obligation to retain
- Public interest
Right to Object
Object to processing based on legitimate interest or public interest.
Grounds
- Particular situation of the data subject
- Lack of proportionality
- Impact on fundamental rights
Effects
- Cessation of processing
- Assessment of overriding interests
Right to Data Portability
Receive data in a structured and readable format to transmit it to another controller.
Requirements
- Processing based on consent or contract
- Automated means
- Data provided by the data subject
Modalities
- Direct delivery to data subject
- Transmission between controllers
Right to Restriction
Temporarily suspend processing while other requests are being resolved.
Application
- Pending rectification
- Opposition assessment
- Lawfulness challenge
Effects
- Suspension of operations
- Storage without processing
Opposition to Automated Decisions
Limit decisions based exclusively on automated processing with significant effects.
Scope
- Algorithmic decisions without human intervention
- Profiling
- Automated scoring
Safeguards
- Human review
- Expression of point of view
- Right to challenge
Exercise Procedure
Formal procedure with specific deadlines and appeal mechanisms before the Agency.
Data Subject Request
Submission by physical or electronic means, identifying the right to be exercised.
Verification
The controller may verify the identity of the requester.
Response
Deadline of 30 calendar days, extendable by an additional 30 days.
Appeal to Agency
30 business days to file a claim with the Agency in case of denial or lack of response.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
