Ejercicio de derechos

ARCO data subject rights

When an employee, customer or user exercises their rights over their personal data, article 12 of the GDPR (Regulation (EU) 2016/679) starts a one-month deadline to respond: one month in which the organisation must locate the data, analyse the request, decide whether to fulfil it — or justify any refusal — and document the entire process. At Summum Consultoria we help organisations design the operational procedure that turns this obligation into a clear, traceable circuit aligned with articles 15 to 22 of the Regulation.

Applicable regulationGDPR (EU) 2016/679 · LOPDGDD (LO 3/2018)
Response deadline1 month from the request (art. 12 GDPR), extendable to 3
Supervisory authorityAEPD — Spanish Data Protection Agency (Agencia Española de Protección de Datos)

Regulation (EU) 2016/679 grants every natural person a set of rights over the processing of their personal data: access to the information being processed (art. 15), rectification of inaccurate data (art. 16), erasure where the legally prescribed grounds apply (art. 17), restriction of processing (art. 18), portability of data in a structured and commonly used format (art. 20), objection to processing (art. 21) and the right not to be subject to decisions based solely on automated processing — including profiling — where those decisions produce legal or similarly significant effects (art. 22). From the controller's perspective, each of these rights entails a specific operational obligation: maintaining a channel to receive requests, verifying the identity of the requester, assessing the request against the legal bases for processing, and responding within the time and form established by article 12 of the GDPR.

Article 12 of the GDPR sets the general procedural framework: the response to the data subject must be provided without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where the complexity or volume of requests warrants it, provided the data subject is informed within the first month with reasons for the delay. The response is provided free of charge; only where requests are manifestly unfounded or excessive — in particular because of their repetitive character — may the controller charge a reasonable fee or refuse to act, but in either case the decision must be justified and communicated to the data subject, who retains the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Agency). The LOPDGDD (LO 3/2018 — Ley Orgánica de Protección de Datos y garantía de los derechos digitales) supplements this regime with provisions specific to the Spanish context, in particular regarding rights in the employment sphere (art. 88 et seq.) and access to anonymised data.

The main operational challenge for SMEs and mid-sized companies is not ignorance of the rights recognised by the GDPR, but the absence of an internal procedure that enables requests to be handled in an orderly manner and within the statutory deadlines. Without an established channel, a request may arrive by email, letter, verbally or through a web form and become lost in the internal circuit before reaching the person responsible for the decision. Without clear identity-verification criteria, there is a risk of responding to someone not entitled to the information or, conversely, of imposing disproportionate burdens on the legitimate requester. Without a record-keeping system, the organisation cannot demonstrate to the AEPD that it responded on time and correctly — which may turn a process that was in fact diligent into an infringement that cannot be proved.

At Summum Consultoria we support organisations in designing and implementing a complete data subject rights management procedure: definition of the official channel for receiving requests, forms tailored to each type of right (access, rectification, erasure, objection, restriction, portability and automated decisions), identity-verification criteria proportionate to the risk, internal escalation and decision-making workflow, and response templates that meet the formal and substantive requirements of article 12 of the GDPR. The procedure is integrated into the organisation's data protection system so that every request — regardless of which employee receives it — follows the same circuit and generates the same documentary trail.

Documentation and records of every request and response are key elements for demonstrating compliance to the regulator. The accountability principle in article 5.2 of the GDPR requires the controller not only to comply with its obligations but also to be able to demonstrate that compliance. This means retaining evidence of the request received, the verifications carried out, the decision taken — including its justification if wholly or partly refused —, the response sent and the exact date of sending. Our team advises on the appropriate format and retention period for this record and assists in handling complex requests where the decision requires specific legal analysis: requests affecting third-party data, data subject to a duty of confidentiality, processing involving multiple controllers, or rights whose exercise conflicts with a legal obligation.

The ARCO data subject rights process.

The process · four stages
01

Design of the official channel and request forms

We define the channel made available for receiving rights-exercise requests — web form, dedicated email address, postal address — and design the forms for each type of right with the minimum necessary data. The channel is communicated to data subjects in the privacy policy and in the records of processing activities. We also include instructions for data subjects who prefer not to use the form to exercise their rights freely, in accordance with art. 12 GDPR.

02

Proportionate verification of the data subject's identity

We establish the criteria and acceptable documents for verifying the identity of the requester without imposing disproportionate burdens: the type of information to be requested varies according to the sensitivity of the data and the channel through which the request arrives. These criteria are documented so that the team can apply them consistently. In the event of reasonable doubt about identity, we define the procedure for requesting additional information without interrupting the one-month deadline.

03

Legal assessment, decision and timely response

We define the internal workflow for assessing each request: who receives it, who carries out the legal review, who authorises the response and who sends it. We develop criteria for each type of right — including the grounds for justified refusal permitted by the GDPR — and response templates for the most common scenarios. Where specific analysis is required due to the complexity of the request, we assist with the case-by-case assessment and drafting of the response within the article 12 GDPR deadline.

04

Record-keeping and documentary trail for every request

We implement the rights-request register that records every request received, the verification carried out, the decision taken, the response sent and the date. This register serves as evidentiary support before the AEPD in the event of a complaint. It also covers refused requests — with the corresponding justification — and requests that could not be handled within the ordinary deadline, along with the extension notice sent to the data subject.

What is included

What ARCO data subject rights includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Official request-receipt channel

    Definition and communication of the channel made available for exercising GDPR rights: web form, email address or postal address, with clear instructions in the privacy policy and processing contracts.

  • Verification of the requester's identity

    Proportionate and documented criteria for confirming that the person making the request is the data subject or their legal representative, without imposing excessive burdens or delaying the one-month deadline established by article 12 of the GDPR.

  • Access, rectification and erasure (arts. 15–17 GDPR)

    Procedure and templates for handling requests for access to data being processed, correction of inaccurate data and erasure where one of the grounds in article 17 of the GDPR applies: data no longer necessary, withdrawal of consent, objection with no overriding legitimate interest, or a legal obligation.

  • Objection, restriction and portability (arts. 18, 20–21 GDPR)

    Management of the rights to restriction of processing during the resolution of a dispute, objection to processing based on legitimate interest or for direct marketing purposes, and portability of data in a structured format where processing is based on consent or on the performance of a contract.

  • Automated decisions and profiling (art. 22 GDPR)

    Analysis and procedure for handling the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, including profiling. Implementation of safeguards where this type of processing is necessary.

  • Record-keeping and traceability of requests and responses

    Implementation of the documentary register for every request: identification, verification, analysis, decision, response and date of sending. Evidentiary support before the AEPD in the event of a complaint and evidence of the accountability principle in article 5.2 of the GDPR.

Frequently asked questions about ARCO data subject rights.

What rights can any person exercise over the data my organisation processes?

The GDPR grants every natural person whose data are being processed the following rights: access (art. 15), rectification (art. 16), erasure (art. 17), restriction of processing (art. 18), portability (art. 20), objection (art. 21) and the right not to be subject to automated decisions with significant effects (art. 22). The set is commonly known as ARCO rights — Access, Rectification, Cancellation and Objection — a term from the previous LOPD (LO 15/1999, now repealed), although the GDPR extended and refined the catalogue by adding the rights to restriction and portability. The LOPDGDD (LO 3/2018) adds specifications for the Spanish context, such as the right to be forgotten on social networks (art. 94) advertising exclusion systems (art. 23 LOPDGDD), and the right to object to processing for direct marketing purposes (art. 21 GDPR).

How long do I have to respond to a rights exercise request?

Article 12.3 of the GDPR states that the response must be provided without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where the complexity or number of requests so requires. In that case, the controller must notify the data subject of the extension and the reasons for the delay within one month of receiving the original request. The one-month period runs from the day the request is received, regardless of whether the controller needs time to verify the requester's identity — although in the latter case art. 12.6 GDPR allows the period to be suspended while awaiting the information needed to confirm identity.

Can I refuse to comply with an erasure request?

Yes. Article 17.3 of the GDPR lists the circumstances in which erasure may be refused: where processing is necessary for exercising the right to freedom of expression and information; for compliance with a legal obligation requiring processing (e.g. retention of invoices for tax purposes); for reasons of public interest; for archiving purposes in the public interest, scientific or historical research; or for the establishment, exercise or defence of legal claims. The refusal must be justified, communicated to the data subject and include information about their right to lodge a complaint with the AEPD. A refusal without justification or based on grounds not provided for in art. 17.3 may give rise to a complaint and the opening of enforcement proceedings.

How do I verify the requester's identity without imposing excessive burdens?

Article 12.6 of the GDPR allows the controller to request additional information necessary to confirm the identity of the data subject where there are reasonable doubts about who is submitting the request. The key is proportionality: the information requested must be the minimum necessary to verify identity and must vary according to the sensitivity of the data to be provided. For non-sensitive data, basic identification details already held in the controller's database may be sufficient; for more sensitive data — medical history, financial data, data relating to minors — it may be reasonable to request a copy of an identity document. The AEPD (Agencia Española de Protección de Datos) has published guidance on this point in its data subject rights guide, noting that the controller cannot automatically require a national ID card as a standard requirement if other means of verification are available.

What happens if I fail to respond to a rights request within the statutory deadline?

Failure to comply with obligations relating to data subject rights — not responding on time, refusing requests without justification, failing to provide access to data being processed or failing to act on an erasure request where required — may constitute an infringement of articles 12 to 22 of the GDPR. Under article 83.5(b) of the GDPR, these infringements are subject to fines of up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. In addition, the data subject may lodge a complaint with the AEPD, which may open a rights-protection procedure and, where applicable, refer it to enforcement proceedings. The LOPDGDD (LO 3/2018) classifies failure to comply with the obligation to handle data subject rights requests as a serious infringement in article 73(c).

When is there an obligation to appoint a Data Protection Officer to manage these rights?

Appointment of a Data Protection Officer (DPO) is mandatory in the cases set out in article 37 of the GDPR and article 34 of the LOPDGDD: public authorities and bodies, entities that carry out large-scale regular and systematic monitoring of data subjects, or entities that process special categories of data or data relating to criminal convictions and offences on a large scale. In the context of rights management, the DPO acts as the point of contact for data subjects — their name and contact details must be stated in the privacy policy — and oversees compliance with the rights regime. For organisations not required to appoint a DPO, having a documented internal procedure and an identified internal responsible person fulfils the same practical function.