Rights of affected people

The GDPR consolidates existing rights and expands them, but also creates new ones. Thus, it regulates:

Right of access

The affected person's right to know whether the data controller is processing their personal data and, if so, to access this data and obtain information about how it is being processed.

Right of rectification

Right to rectify inaccurate personal data and to have incomplete data completed, including through an additional declaration.

Right to erasure (right to be forgotten)

Right to obtain the deletion of personal data, when: they are no longer necessary for the purpose for which they were collected; the consent on which the processing was based is revoked; there is opposition to the processing; the data have been processed unlawfully; the data have been processed to comply with a legal obligation or have been obtained in relation to the offer of information society services aimed at minors.

When the controller has made personal data public and it is necessary to erase them, they must take reasonable measures to inform other controllers who are processing that data of the erasure.

Right of opposition

Right to object to the processing of personal data for reasons related to the personal situation of the person concerned

When the processing is for direct marketing purposes, including the creation of profiles related to such marketing, the data must be stopped from being processed immediately.

Right to limitation of processing

Right to mark the personal data stored, in order to limit its processing in the future.

The limitation of processing means that, at the request of the affected person, their personal data will no longer be processed.

Right to portability

Right to receive the personal data that you have provided to a controller in a structured, commonly used and machine-readable format, and to transmit them to another controller, if the following requirements are met:

The processing is based on consent or a contract
The processing is done by automated means.

Right not to be subject to automated individual decisions

Right not to be subject to a decision based solely on automated data processing, including profiling, which produces legal effects on the person concerned or adversely affects them. This does not apply if the decision is necessary to formalise or perform a contract between the data subject and a controller, is based on the data subject's explicit consent, or is authorised by Union or Member State law.

All these rights must be exercised before the entity responsible for the processing (Generalitat, provincial council, city council, consortium, university, etc.) that corresponds.

The right to data portability is not enforceable when: the processing of personal data is necessary to fulfil a task carried out in the public interest; to exercise public powers conferred on the controller; or when the processing of personal data is necessary to comply with a legal obligation. Since public administrations carry out most of their data processing based on these legal bases, it can be said that, in general, the right to portability is not enforceable by public administrations in the exercise of their powers.

However, this right will be enforceable when the processing, in addition to being carried out by automated means, has the consent of the interested party as its legal basis or is necessary for the execution of a contract to which the interested party is a party. Consequently, in these cases the administrations must inform about the right to portability and facilitate its exercise.

The person responsible must respond to the request to exercise the right within one month of receiving it, extendable for two more months if necessary, depending on the complexity and number of requests.

The interested party must be informed of the extension within the first month (from the date the request is received) and the reasons for the delay must be indicated.

The Catalan Data Protection Authority does not have information about which entities have personal data concerning a particular person.

If you want to know if an entity has your personal data, you can exercise, free of charge, the right of access to the data controller. Through this right, you can obtain a copy of the data being processed and information about:

If your personal data is processed, for what purpose and what specific uses.
The categories of data that are processed.
Where they were obtained and whether they have been communicated or are intended to be communicated, and to whom.
The retention period for the data or the criteria for determining it.
The right to request access to data, to rectify or delete it, to limit its processing, to object to it and to request its portability.
The right to file a complaint with a supervisory authority, or, where applicable, with the data protection delegate.
The existence of automated decisions, including profiling, and information about the logic applied and its consequences.

The GDPR provides that both actions and communications made under the rights regulated in the GDPR are free of charge, unless the requests are manifestly unfounded or excessive, especially if they are repetitive. In this case, the data controller has two options: charge a reasonable fee or refuse to act on the request.

Rights of affected people

What rights does any individual have in the field of personal data protection and what do they consist of?

Can the right to data portability be exercised before a public administration?

What is the deadline for the data controller to exercise the rights of access, rectification, deletion, opposition, limitation of processing and portability?

How can I know if an entity has my personal data?

Does the exercise of rights entail any cost for the affected person?