When Regulation (EU) 2016/679 (GDPR) became applicable on 25 May 2018, it did not only impose new obligations on organisations that process personal data: it also expanded and reshaped the rights of individuals. The old acronym ARCO — Access, Rectification, Cancellation and Objection, inherited from the now-repealed Organic Law 15/1999 — gave way to a broader and more nuanced catalogue now referred to by the mnemonic ARSULIPO. Understanding what each right means, which GDPR article underpins it, and within what timeframe it must be addressed is the first step towards correctly managing requests your organisation receives and avoiding unnecessary penalties.
From ARCO to ARSULIPO: why the nomenclature changed
LO 15/1999 (the repealed LOPD) recognised four rights: Access, Rectification, Cancellation and Objection. The LOPDGDD — Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, the current national legislation — transposed into Spanish law the expanded catalogue of the GDPR, which now provides for six distinct rights within the ARSULIPO acronym, plus additional rights recognised by the GDPR.
The change is not merely terminological. Cancellation was split into erasure and restriction of processing, two rights with different legal effects. Portability and the right not to be subject to automated decision-making, including profiling, were added. Furthermore, the right to object gained specific content for the case of direct marketing. This expansion makes ARCO inadequate as a practical reference, which is why ARSULIPO has become the standard term in compliance training and procedures. The acronym covers six rights: Access (A), Rectification (R), Erasure (SU), Restriction (LI), Portability (P) and Objection (O). The right under art. 22 of the GDPR — not to be subject to decisions based solely on automated processing — is an additional right that does not form part of the mnemonic.
| ARCO right (LO 15/1999, repealed) | ARSULIPO equivalent or successor (GDPR) |
|---|---|
| Access | Access — art. 15 GDPR (expanded) |
| Rectification | Rectification — art. 16 GDPR |
| Cancellation | Erasure (art. 17) + Restriction (art. 18) |
| Objection | Objection — art. 21 GDPR (strengthened for direct marketing) |
| — | Portability — art. 20 GDPR (new) |
| — | Not to be subject to automated decisions — art. 22 GDPR (new) |
The six ARSULIPO rights and the additional art. 22 GDPR right
Article 12(3) of the GDPR sets out the general response rule: one month from receipt of the request, extendable by up to two additional months where the complexity or number of requests justifies it, provided the data subject is informed within the first month. The table below presents the six rights that form the ARSULIPO acronym and the additional right under art. 22 of the GDPR — which is not part of the mnemonic — with their regulatory references and deadline specifics. For a full operational guide on handling each request in practice, see also Data subject rights under the GDPR: access, rectification, erasure, objection, restriction and portability.
| Right | GDPR Article | What it allows the data subject to do | Response deadline |
|---|---|---|---|
| Access (A) | Art. 15 | Obtain confirmation of whether their data are being processed and, if so, a copy of them together with information on the purposes, recipients, retention period and origin of the data. | 1 month (extendable to 3 months in complex cases) |
| Rectification (R) | Art. 16 | Request the correction of inaccurate or incomplete personal data concerning them, without undue delay. | 1 month (extendable to 3 months) |
| Erasure / right to be forgotten (SU) | Art. 17 | Request the deletion of their data when, among other grounds, the data are no longer necessary for the purpose that justified their collection, consent is withdrawn, or processing is unlawful. | Without undue delay (in practice, 1 month) |
| Objection (O) | Art. 21 | Object to processing based on legitimate interest or the exercise of official authority. For direct marketing, cessation of processing is immediate and unconditional. | Immediate for direct marketing; 1 month for other cases (extendable) |
| Restriction of processing (LI) | Art. 18 | Request the temporary suspension of processing (e.g. while the accuracy of disputed data is verified or an objection is assessed), without the data being erased. | Without undue delay following the request |
| Portability (P) | Art. 20 | Receive the data they have provided in a structured, commonly used, machine-readable format, and transmit them to another controller where processing is based on consent or a contract and is carried out by automated means. | 1 month (extendable to 3 months) |
| Not to be subject to automated decisions (additional right — art. 22 GDPR, outside the ARSULIPO acronym) | Art. 22 | Not be subject to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significantly affect them, except in specified cases (contract, legal authorisation or explicit consent). | 1 month (extendable to 3 months) |
It bears keeping in mind that not all rights are absolute. The GDPR and the LOPDGDD (LO 3/2018) provide specific exceptions for each: for example, the right to erasure may not succeed where processing is necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims (art. 17(3) GDPR). Organisations must assess each request on an individual basis and may not issue blanket refusals.
If your organisation needs support in designing the procedure for handling requests or reviewing its internal forms, at Summum Consultoría we help companies and entities set up the channel for the exercise of data subject rights, from Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas.
How to handle requests step by step
A correct response to an ARSULIPO request requires more than just meeting the deadline: it also requires documenting the process. These are the essential steps:
- Receipt and acknowledgement: as soon as the request is received, it must be logged (date, channel, identity of the requester) and, where appropriate, receipt must be confirmed. If the request is incomplete or the identity is unclear, the controller has one month to ask for additional information (art. 12(6) GDPR); that month does not count towards the response deadline.
- Identity verification: the controller may request additional information to confirm the data subject's identity, but may not ask for disproportionate data. The AEPD (Spanish Data Protection Authority) recommends that verification procedures be proportionate to the risk that would result from disclosing information to an unauthorised person.
- Assessment of the right invoked: check whether the conditions for exercising the right are met and whether any ground for limitation or exception exists. This assessment must be documented.
- Response to the data subject: within the legal deadline, communicate clearly whether the request is granted or refused, with reasons in the event of a refusal and with information on the right to lodge a complaint with the AEPD (art. 12(4) GDPR).
- Implementation and record-keeping: apply the technical and organisational measures arising from the response (erase data, correct records, suspend processing) and keep documentary evidence of the entire process.
This process can be integrated into the Record of Processing Activities (RoPA) and the organisation's data protection management system, so that each request is traceable and auditable.
Valid channels and formats for receiving requests
Article 12(1) of the GDPR requires the controller to facilitate the exercise of rights. There is no mandatory format for requests: data subjects may submit them by email, web form, postal mail or in person. Organisations may establish specific forms to streamline the process, but they may not make the validity of a request conditional on their use: if someone sends a free-form email describing their request, that request is equally valid.
The email address or channel designated for the exercise of rights must appear in the privacy policy and, where applicable, in the information provided at the time of data collection (information notice, art. 13 and 14 GDPR). If the organisation has a Data Protection Officer (DPO), their contact details must also be published so that data subjects can approach them directly.
When a request may be refused or restricted
Refusing a request is possible, but must be properly substantiated. Some common grounds:
- Erasure: processing is necessary to comply with a legal obligation (e.g. retaining invoices for the tax retention period), for the exercise of freedom of expression, or for the establishment of legal claims (art. 17(3) GDPR).
- Access: the request is manifestly unfounded or excessive, in particular due to its repetitive character (art. 12(5) GDPR). In that case, the controller may charge a reasonable fee or refuse to act, but must be able to demonstrate the manifestly unfounded or excessive nature of the request.
- Portability: processing is not based on consent or a contract, or is not carried out by automated means. In that case, the right does not apply.
- Automated decisions: the decision is necessary for the conclusion or performance of a contract, is authorised by Union or Member State law, or the data subject has given explicit consent (art. 22(2) GDPR). In such cases, the organisation must ensure human intervention, the possibility of contesting the decision, and the data subject's right to express their point of view.
In all cases, a refusal must be substantiated, delivered within the legal deadline, and must inform the data subject of their right to lodge a complaint with the AEPD and to bring judicial proceedings (art. 12(4) GDPR).
The applicable penalty regime
Failure to comply with obligations relating to the exercise of rights may lead to enforcement proceedings. Article 83(5) of the GDPR classifies non-compliance with the basic principles of processing and with data subject rights as a serious infringement, subject to fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is higher. The LOPDGDD (LO 3/2018) supplements this regime in articles 72 to 74, classifying infringements as very serious, serious or minor under Spanish law.
These thresholds are not automatic: the AEPD weighs the organisation's diligence, the intentional or negligent nature of the infringement, the measures taken to remedy it, and the level of cooperation shown. Having documented procedures for handling rights requests is a factor the authority considers when assessing an organisation's proactive responsibility (accountability).
At Summum Consultoría we help your organisation design and document the channel for the exercise of rights, adapt response templates and train the staff responsible for handling requests, with the aim of making the process agile, well-documented and compliant with the GDPR and the LOPDGDD.
Frequently asked questions
Is the right to erasure the same as the right to be forgotten?
In practice they are used interchangeably, but the right to be forgotten is a specific manifestation of the right to erasure applied in the digital environment. Article 17(2) of the GDPR requires the controller that has made personal data public to take reasonable steps to inform other controllers processing those data that the data subject has requested erasure of any links to those data or of copies or replicas thereof. In practice, this obligation primarily affects search engines and platforms that index third-party content.
Can an employee exercise ARSULIPO rights against their employer?
Yes. Workers are data subjects for the purposes of the GDPR and may exercise any of these rights with respect to data processed by the company in the employment context. However, the exercise of some rights — such as erasure or restriction — may be limited where processing is necessary to comply with legal employment obligations or for the performance of the employment contract. The LOPDGDD specifically regulates processing in the employment context in articles 87 to 91, supplementing the GDPR framework.
What happens if the data subject does not provide sufficient information to be identified?
Article 11(2) of the GDPR provides that where the controller is unable to identify the data subject, it must inform them accordingly. If the data subject provides additional information that enables their identification, the controller may not refuse to act. If identity still cannot be verified with reasonable certainty and exercising the right could pose a risk to the privacy of third parties — for example, disclosing another person's data — a refusal may be justified. In any event, the request for additional information suspends the running of the response deadline.
What is the difference between restricting processing and objecting to it?
They are distinct rights with distinct effects. Restriction of processing (art. 18 GDPR) temporarily suspends the use of the data: they are not erased, but the controller may not process them during the restriction period, except to store them or with the data subject's consent. Objection (art. 21 GDPR) aims to bring processing to a permanent end where it is based on legitimate interest or the exercise of official authority, unless the controller demonstrates compelling legitimate grounds that override the data subject's interests. In the case of direct marketing, objection is absolute: the controller must immediately cease processing the data for that purpose, with no possibility of invoking grounds that would override it.