+34 958 63 01 14 info@velascolawyers.com

In this article we inform you about how your personal data is protected, the rights that help you to take back control of your data and what to do if things go wrong.

You have the right to:

  • information about the processing of your personal data, and obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected; They should correct it without undue delay (in principle within 1 month) or justify in writing why the request cannot be accepted.
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.

To exercise your rights, you should contact the company or organisation processing your personal data, also known as the controller. If the company has a Data Protection Officer (‘DPO’) you may address your request to the DPO. The company must respond to your requests without undue delay and at the latest within 1 month. If the company/organisation doesn’t intend to comply with your request, they must state the reason why. You may be asked to provide information to confirm your identity (such as, clicking a verification link, entering a username or password) to exercise your rights.

These rights apply across the EU, regardless of where the data is processed and where the company is established. These rights also apply when you buy goods and services from non-EU companies operating in the EU.

What information should I receive when I provide my personal data?

  • the name of the company or organisation that is processing your data (including the contact details of the DPO, if there is one);
  • the purposes for which the organisation will use your data;
  • the categories of personal data concerned;
  • the legal basis for processing your personal data;
  • the length of time for which your data will be stored;
  • other companies that will receive your data;
  • whether data will be transferred outside the EU;
  • your basic rights in the field of data protection
  • the right to lodge a complaint with a Data Protection Authority (DPA);
  • the right to withdraw your consent at any time;
  • the existence of automated decision-making and the logic involved, including the consequences thereof.
  • This right also applies online and is often referred to as the ‘right to be forgotten’.

However, an organisation can continue to process your personal data, despite your objections, if:

  • in the case of processing for the purposes of scientific/historical research and statistics, the processing is necessary for the performance of a task carried out for reasons of public interest;
  • in the case of processing based on legitimate interests or on the performance of a task in the public interest/exercise of official authority, they can prove that they have compelling legitimate grounds that override your interests, rights and freedoms. Therefore, a balancing exercise is required.