Contact
When you process personal data, you must respond to requests to exercise data protection rights addressed to you by the data subject, the so-called rights of information-based self-determination. They are the ones that allow the person to access their data, rectify it, delete it, etc.
When the person submits the request to you by electronic means, you must provide the information by this means, unless you are asked to provide it in another way. In the case of the right of access, it can be facilitated through a remote, direct and secure access system to personal data. Communication of how to access this system can be used to consider the request to exercise their rights.
Deadline to respond
You must inform the data subject about the actions deriving from their request within one month, which can be extended by another two months when it comes to particularly complex requests. This extension of the deadline must be notified within the first month. If you decide not to attend to the request, you must inform the data subject and give reasons for the refusal within the period of one month since the request was submitted, and explain that they may submit a claim to the competent data protection authority, such as the APDCAT.
Verify identity
In addition, you must take all reasonable steps to verify the identity of the data subjects who request access and who exercise the other rights provided for in the regulations. If you process a large amount of information about a data subject, you can ask them to specify the information to which their access request refers.
Collaboration between the data controller and the data processor
As the data controller, you can count on the collaboration of the data processor to attend to the exercise of the rights of the data subject. This collaboration can be included in the data processing contract.
Free request
The request to exercise the rights must be free, and you can only charge a fee if it is manifestly repetitive or unfounded. The fee must correspond to the cost of processing the request. In the case of the right of access, its exercise on more than one occasion during the six-month period can be considered repetitive, unless there is a legitimate reason to do so.
Facilitate the exercise of rights
In addition to attending to requests, you must also make it easy for people to exercise their rights. This means that the procedures and mechanisms for doing so must be visible, accessible and simple. The GDPR does not establish a specific way to exercise one’s rights, but it is necessary to allow requests to be submitted by electronic means, especially when the processing is carried out by these means.