The GDPR includes and extends existing rights, as well as creating new ones. It thus regulates:
- the right of access
- the right to rectification
- the right to erasure
- the right to object
- the right to restriction of processing
- the right to data portability
- the right not to be subject to decisions based solely on automated processing
The GDPR recognises the right of the data subject to be informed about the circumstances and context in which the personal data are processed.
The controller must facilitate the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.
The following information must be provided:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative
- the contact details of the data protection officer, where applicable
- the purposes and legal basis for the processing
- the recipients or categories of recipients of the personal data, if any
- the controller’s intention to transfer the personal data to a third country or international organisation and the basis for doing so, where applicable
- the period for which the personal data will be stored, or the criteria used to determine that period
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability
- the existence of the right to withdraw consent at any time
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to do so
- the right to lodge a complaint with a supervisory authority or, where applicable, the data protection officer
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
Right of access: data subjects have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, the right to access the personal data and obtain information about how it is being processed.
Right to rectification: data subjects have the right to rectification of inaccurate personal data concerning them and to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (“right to be forgotten”): data subjects have the right to obtain the erasure of personal data concerning them (“right to be forgotten”) when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the data subject withdraws consent on which the processing is based; the data subject objects to the processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation; or the personal data have been collected in relation to the offer of information society services addressed to children.
Where the controller has made the personal data public and is obliged to erase them, that controller must take reasonable steps to inform other controllers which are processing the personal data about the erasure.
Right to object: data subjects have the right to object to the processing of their data, on grounds relating to their particular situation.
Where the data subject objects to processing for direct marketing purposes, including profiling to the extent that it is related to such direct marketing, the personal data must no longer be processed for such purposes.
Right to restriction of processing: right relating to the marking of stored personal data with the aim of limiting their processing in the future.
Restriction of processing means that, on the request of the data subject, his or her personal data will immediately no longer be processed.
Right to data portability: data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the following requirements are met:
- the processing is based on consent or on a contract
- the processing is carried out by automated means
Right not to be subject to automated individual decision-making, including profiling: data subjects have the right not to be subject to a decision based solely on automated processing of their data, including profiling, which produces legal effects concerning them or similarly significantly affects them. This does not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, is based on the data subject’s explicit consent or is authorised by law of the Union or the corresponding Member State.
All of these rights must be exercised with the entity that possesses the personal data of the data subject (the data controller), in other words, with the corresponding competent body of the Government of Catalonia (Generalitat), provincial council, city council, consortium, university, etc.
You may not exercise the right to data portability when your personal data is required for a project that is in the public interest, when it is required to exercise a public power conferred on the person in charge of processing the data, or when the personal data processing is required to fulfil a legal obligation. As public authorities carry out most of their data processing as a result of the legal bases listed above, this means that, in general terms, it is not possible to exercise the right to data portability from public authorities who are acting in their respective capacities.
However, it should be kept in mind that under certain circumstances, in which the authorities process data by automated means with the legal basis of the consent of the interested party or when a contract with the interested party is required, then this right shall be applicable. Under these circumstances, the authorities must inform the interested party of the right to portability and provide a way to exercise this right.
For more information on this topic, please see CNS Ruling 54/2018.
The Catalan Data Protection Authority has no information about which organisations possess personal data concerning a particular individual.
If you wish to find out whether an organisation possesses your personal data you can exercise, free of charge, the right of access against the organisation’s file controller.
This right entitles you to obtain a copy of the data being processed and information about:
- whether your personal data are being processed, for what purpose and specific uses
- the categories of data being processed
- where the data was obtained, and whether it has been transferred or is intended to be transferred and to whom
- the period for which the personal data will be stored, or the criteria used to determine that period
- the right to request access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing, as well as the right to data portability
- the right to lodge a complaint with a supervisory authority or, where applicable, the data protection officer
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject
The controller must respond to the request to exercise the right within one month from the date it is received. This period may be extended by a further two months if necessary, depending on the complexity and number of requests received.
The controller must inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
The GDPR introduces new rights for data subjects such as the right to be forgotten, which is linked to the right to erasure, as well as the right to data portability and the right to restriction of processing.
The new Regulation also creates other safeguards for data subjects.
It establishes the applicability of European Union rules not only in cases in which the establishment of the data controller or processor is in an EU Member State, but also in any other case in which the processing is carried out in the context of an offer of goods or services aimed at data subjects or the monitoring of their behaviour specifically in the EU. This especially reinforces the applicability of European rules covering services offered online.
In addition, the Regulation ensures people’s right to be informed without undue delay of any personal data breach that may involve a high risk to their rights and freedoms, so that they can take appropriate measures.
Finally, in processing activities in which there are international dimensions, the one-stop-shop mechanism provided in the GDPR enables people to avoid having to deal with a supervisory authority other than that of the Member State in which they live, when they wish to make a claim or complaint.
You may receive advertisements and marketing communications when you have given your consent, when the advertisement is related to products or services similar to those you have already bought from a particular company, or otherwise when the company sending the marketing communications has a legitimate interest in doing so.
Depending on the legal basis for sending the unwanted ads, you can avoid being sent unsolicited communications in one of the following ways:
- Sign up for a mail preference service (Robinson List)
If you do not want to receive advertisements that you have not given your express consent to receive, signing up to a Robinson List is a good way to prevent this. These lists have to be checked by companies before they start an advertising campaign, and they cannot include anyone registered on the list in the campaign.
However, registering on a list like this will not prevent you from receiving advertising if you are a customer of the company and the ad relates to products like those you already bought, or if you gave the company permission to send you this kind of communication.
Registering on these lists is free.
The only applicable mail preference service currently active in Spain is called the Robinson List, and it is managed by the Spanish Digital Economy Association (ADIGITAL).
By registering yourself on the list you can choose to stop receiving marketing communication by any means, or you can block specific means or communication channels (by post, telephone calls, email or any other means).
Keep in mind that registering on the Robinson List only comes into effect three months after the date you register to be excluded from future ads. This means you may still receive some marketing communications during the three month period.
It is important to provide accurate data when you register on the list, as it will only take effect for the addresses or telephone numbers given when they match exactly with the details provided by the interested party.
You can register on the Robinson List by clicking on this link.
- Revoke your consent
You may be receiving marketing communications because you gave permission for them.
You must give express consent to receive automated telephone calls without human intervention, or for marketing communications sent via email, SMS, MMS or any other electronic means, except when the communication is from an entity of which you are a customer, and the advertisement refers to products or services similar to those you already bought.
If you gave your permission for your data to be used for advertising purposes and you do not wish to continue receiving advertisements, you can easily revoke your consent at any time, at no cost, by calling a free telephone line or contacting the customer services that are responsible for the data processing. If the marketing communications were sent by email, they must include a valid email address or link where consent can be revoked.
- Exercise your right of opposition
If you do not want a particular company to process your data for advertising purposes, you can exercise your right of opposition at any time, before this company, through a simple and free means, to exclude you from the advertising campaigns being carried out.
When exercising your right of opposition, you should clearly indicate in the request that you do not want your data to be used for advertising purposes, indicating the channel or channels that the opposition refers to, and the data you do not want to be processed.
In the case of communications sent by email, exercising the right of opposition must be carried out with a valid email address or other link that must be included in the electronic communications for advertising purposes.
- Exercise your right not to be included in telephone directories
You may exercise your right not to appear in telephone directories, for free, or if you prefer, you may continue to be included in telephone directories without the information contained therein being used for advertising purposes. You may also request that your address, or any other information contained therein, be partially omitted.
To exercise this right, contact the operator of your telephone service and inform them you that you do not want your personal data to be published in subscribers' guides or ask for your data not to be used for receiving advertisements.
Your data should then be removed or excluded for advertising purposes from the online version of telephone directories, as well as from the next edition of them that is published in hard copy or on any other physical medium.
Although the GDPR does not apply to the personal data of deceased persons, Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) provides that, unless explicitly prohibited by the deceased person, his or her family members, civil partners and heirs may request the controller or processor to grant them access to the personal data of the deceased person or, if necessary, to exercise the rights of rectification or erasure of such data on his or her behalf.
The LOPDGDD also provides that a posthumous designation may be made to enable certain persons or institutions to access the personal data of the deceased person and exercise, if necessary, the rights of rectification or erasure of that data.
In the case of children, these functions may be performed by their legal representatives or by the Attorney General’s Office.
All individuals have the right to access the documentation in their medical records and to obtain a copy of the data contained in them. However, this right may never be exercised in prejudice to the right of third parties to the confidentiality of their data which may appear in such documentation, or the rights of professionals who have taken part in drafting the documentation, who can request the withdrawal of their subjective observations, appreciations or annotations.
Minors older than 14 years of age, who are not incapacitated, may exercise the rights related to informational self-determination by themselves.
However, parents or guardians with parental authority, or legal representatives of the minor (even when the minor is over 14 years old), may access the minor's information without this constituting a breach of confidentiality, given their condition as legal representatives. Nonetheless, when provided for by law or in cases when there may be a conflict of interest between the parents or legal representatives and the minor, the exercise of rights by the parties with regard to certain information on the minor's health may be limited, on a case-by-case basis, in order to protect the minor's best interests.
For more information on this topic, please see Opinion CNS 10/2018.
The right to access medical records does not mean the medical centre is obliged to share the identity of the specific individuals who, as staff at the medical centre, were able to access the medical records. Furthermore, the medical centre is obliged to inform when the patient's data is shared with a recipient external to the medical centre.
For more information on this matter, please see Opinion CNS 8/2019.
People with family ties to a deceased patient may ask the data controller (the medical centre) for access to the patient's medical records, provided they do not affect the privacy of the deceased person or the subjective notes made by professionals, or cause any damage to third parties, as provided for in the guidelines on patient autonomy and data protection regulations.
For more information on this matter, please see Opinion CNS 8/2019.