Rights of data subjects. Catalan Data Protection Authority

How does the GDPR strengthen people's rights?

The GDPR introduces new rights for data subjects, such as the right to be forgotten, which is linked to the right to erasure, the right to data portability and the right to the restriction of processing.

In certain circumstances, the scope of application is also extended to controllers and processors who are not in a European Union state, which particularly strengthens the applicability of European regulations in online services. It also guarantees the right of data subjects to be informed without undue delay of security breaches that pose a high risk to their rights and freedoms, so that they may take appropriate action.

Finally, in processing that may involve international activities, the one-stop shop mechanism envisaged in the GDPR means that, for the purpose of making complaints, citizens do not to have to deal with supervisory authorities other than that of the state in which they reside.

What rights do natural persons have in the area of personal data protection and what do these rights consist of?

The GDPR includes existing rights and expands them, while also creating new ones. Thus, it regulates:

The right of access

The right of the data subject to know whether the controller processes their personal data and, if this is the case, to access this data and obtain information on how they are being processed.

The right of rectification

The right to rectify inaccurate personal data and to complete incomplete personal data, including by means of an additional declaration.

The right of erasure (right to be forgotten)

The right to have one's personal data deleted when: they are no longer necessary for the purpose for which they were collected; the consent on which the processing was based has been withdrawn; there is objection to processing; the data have been unlawfully processed; the data have been processed to comply with a legal obligation or have been obtained in relation to the provision of information society services aimed at minors.

When the controller has made the personal data public and they must be erased, the controller must take reasonable steps to provide notification of such erasure to other controllers who are processing the data.

The right to object

The right to object to the processing of personal data for reasons related to the particular situation of the data subject.

When the data are processed for direct marketing purposes, including profiling related to such marketing, the processing must be stopped immediately.

The right to restriction of processing

The right to mark stored personal data with the aim of limiting their processing in the future.

The limitation of processing means that, at the request of the data subject, their personal data will no longer be processed.

The right to data portability

The right to receive personal data provided to a controller in a structured, commonly used and machine-readable format, and to transmit them to another controller, if the following requirements are met:

- The processing it is based on consent or a contract.

- The processing is carried out by automated means.

The right not to be subject to automated individual decision-making

The right not to be subject to a decision based solely on the automated processing of data, including profiling, which produces legal effects for the data subject or similarly significantly affects him or her. This shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; it is based on the data subject's explicit consent; or it is authorised by the law of the Union or the Member State concerned.

All these rights must be exercised before the relevant entity responsible for the processing (Generalitat, provincial council, city council, consortium, university, etc.).

Does the right of access include the right to know which specific people working for the controller or processor have accessed the information?

The right of access does not include the right to know the identity of the specific people working for the controller or processor who have accessed the information. In this regard, the Catalan Data Protection Authority has expressed its decisions in rulings CNS 8/2019 and CNS 53/2019.

Can the right to data portability be exercised before a public administration?

The right to data portability is not enforceable: when the processing of the personal data is necessary for the performance of a task carried out in the public interest; in the exercise of official authority vested in the controller; or when the processing of the personal data is necessary for the fulfilment of a legal obligation. As public administrations carry out most of their data processing on these legal bases, it can be said that, in general, public administrations do not have to grant the right to portability in the exercise of their powers.

However, this right will be enforceable when the processing, in addition to being carried out by automated means, has as its legal basis the consent of the data subject or is necessary for the execution of a contract to which the data subject is a party. As such, in these cases, administrations must provide notification of the right to portability and facilitate the exercise of this right.

What is the time period in which the controller must attend to the rights of access, rectification, erasure, objection, restriction of processing and portability?

The controller must attend to the request for the exercise of the right within one month of receiving it, although this period may be extended by a further two months if necessary, depending on the complexity and number of applications.

If the period is extended, the data subject must be informed of this within the first month (from the date of receipt of the application) and of the reasons for the delay.

How do I know if an entity has my personal data?

The Catalan Data Protection Authority does not have information on which entities have personal data concerning a particular person.

If you want to know if an entity has your personal data, you can exercise the right of access before the controller free of charge. This right entitles you to obtain a copy of the data processed and information on:

Whether your personal data is processed, for what purpose and what specific uses.
The categories of data being processed.
Where they were obtained and whether they have been disclosed or are to be disclosed, and to whom.
The storage period for the data, or the criteria to determine this period.
The right to request access to, rectify or erase data, to limit their processing, to object to processing and to request portability.
The right to lodge a complaint with a supervisory authority or, where applicable, with the Data Protection Officer.
The existence of automated decisions, including profiling, and information on the logic involved and its consequences.

Can rights regarding the personal data of deceased persons be exercised?

Yes, persons linked to the deceased for family or de facto reasons, as well as their heirs, may contact the person responsible or in charge of the processing in order to request access to the person's personal data and, where appropriate, its rectification or deletion. As an exception, the persons referred to in the preceding paragraph may not access the data of the causer, or request its rectification or deletion, when the deceased has expressly prohibited it or as established by law (art. 3 LOPDGDD).

Does the exercise of rights involve any cost for the data subject?

The GDPR states that both actions and communications made in virtue of the rights regulated in the GDPR are free of charge, unless the requests are manifestly unfounded or excessive, especially if they are repetitive. In this case, the controller has two possibilities: charge a reasonable fee or refuse to take action in response to the request.