CONSTITUTIONAL LAW ON PERSONAL DATA PROTECTION - ENTITLEMENT
The constitutional law 15/1999 on Personal Data Protection dated December 13th, in its Section III related to the people’s rights, sets the terms and conditions that must be accomplished in order to enable the Responsible of the File to access, rectify or cancel or oppose the data, on behalf of the data holders.
The article 23 of the Royal Decree 1720/2007 dated December 21st, that approves the Rules of development of the Constitutional Law 15/1999 dated December 13th, on Personal Data protection, establishes that the rights to access, rectify, cancel or oppose the data are of personal nature, therefore these rights can be exerted only by the person affected, always confirming his/her identity. In cases of disability or underage, those rights will be exerted by the Legal Representative. They also can be exerted by a volunteer representative.
In order to use these rights, a free and simple platform must be conceded to the interested party
These instructions are more accurately detailed in the Royal Decree 1332/1994 dated June 20th, as well as in the Instruction 1/1998 dated January 19th of the Spanish Data Protection Agency, concerning the rights of access, rectification and cancellation.
In order to make the Responsible of the Data use these Rights correctly, it is necessary to keep in mind the following aspects
The terms for the exercise of Rights are the following:
- Right of access: One month time to answer, starting from reception of the application. In case it proceeds and no formal requirements are missing, 10 more days to make it effective.
- Right of cancellation and rectification: The term is 10 days. If the data is going to be communicated to third parties, they must be informed so they can proceed to the rectification or cancelation.
- Right of opposition: There is no obligatory term until the corresponding approval of this Rule, but it is recommended to do it within 10 days maximum.
The letter sent by the owner of the data who applies the exercise of the Rights must accomplish the following legal requirements:
- Name, surname and ID copy of the interested party. In the exceptional cases where a representation is admitted, the person who is representing must be identified on the same way as the person who is being represented, and the certification of representation will be also needed. The ID copy can be replaced by other valid document that accredits identification.
- Request settled on the application (Requested exercise or information that needs to be acceded to). In case it does not refer to a concrete file, all the information related to the company on behalf of the request will be provided. If it refers to a concrete file, only such file will be provided. If the information required is related to a third party, it will never be provided. If it is requested by phone, a written application will be required and the information about how to do it and where to send it will be provided. No information will be provided on the phone.
- Address for notification purposes.
- Date and signature of the applicant.
- Supporting documents concerning the request.
- The interested party must use the means that confirm the sending and reception of the request
In accordance to the article 25.2 of the Regulation, the Responsible of the File must answer the requests always, regardless of the existence of personal data of the interested party in the files.
If there are any missing requirements, an answer will be sent informing about it so it can be amended. It is recommended to use any means that confirm the sending and reception (certified mail with acknowledgment of receipt, as a prove in case of any problem with Protection rights).
The Responsible of the File must make sure that all the people in the company with access to personal data are able to inform the data holders about the procedures to use their Rights correctly.