Current regulatory context vs Personal Data Protection Bill
While the ARCO rights are regulated by Law 19.628, there are substantive changes in the Data Protection Bill:
| Law 19.628 | Data Protection Bill |
|---|---|
| i) It establishes the rights of: Information, Modification, Cancellation (or Deletion), and Blocking. ii) Response period by the responsible party to a request: 2 business days. iii) Complaint procedure in case of non-response to a request or unjustified denial by the responsible party: the option to appeal to the Civil Court Judge in the domicile of the responsible party. | i) It establishes the rights of: Access, Rectification, Erasure, Objection, Portability, and Blocking. ii) Response period by the responsible party to a request: 15 business days. iii) Complaint procedure in case of non-response to a request or unjustified denial or omission of response: the option to appeal to the Personal Data Protection Agency. |
What are ARCO rights?
They are rights conferred to data subjects to protect their personal data. Their name refers to the initial of each of these rights: right of Access, Rectification, Cancellation and Opposition.
These rights are exercised by the data subject directly before the data controller(s) that are processing her/his data.
ARCO rights characteristics
According to the Data Protection Bill, these rights have the following characteristics:
- Personal: They can only be exercised by the data subject, acting on their own behalf or through their legal representative or agent, as appropriate. Exceptionally, in the event of the data subject’s death, they can be exercised by their heirs, with certain limitations.
- Non-transferable.
- Inalienable and cannot be limited by any act or agreement: Any clause, act or agreement, contract, or declaration of will that aims to limit or suppress the exercise of these rights is null and void.
- Free of charge: As a general rule, the data controller cannot require payment as a condition for the fulfillment of these rights. However, the data controller may require a payment to cover the direct costs incurred when the data subject exercises the right of access and the right to portability more than once in a quarter.
Which are the ARCO rights?
Current Law 19.628 includes the following rights: Information, Modification, Cancellation, and Blocking. However, with the Data Protection Bill, these rights will be modified.
The rights of Information, Modification, and Cancellation will be replaced by the rights of Access, Rectification, and Suppression, respectively. In addition, the right of Objection, Portability, and Objection to automated individual decisions will be added.
The Bill regulates these rights as follows:
Right to Access
The right of access allows the data subject to request and obtain from the data controller confirmation about whether her/his personal data is being processed, to access them if applicable, and request information about what data is being processed, its origin, the purpose of the processing, and the period of time during which it will be processed.
Right to Rectification
The right to rectification allows the data subject to request and obtain from the data controller the modification or completion of their personal data when it is being processed by the controller and is inaccurate, outdated, or incomplete.
Right to Suppression
The right of suppression allows the data subject to request and obtain from the controller the deletion or elimination of her/his personal data, under the grounds provided by the bill.
Right to Object
The right to object allows the data subject to request and obtain from the controller that a specific data processing operation is not carried out, under the grounds provided by the bill.
The right to object to automated individual decisions
The right to object to automated individual decisions allows the data subject to object and not be subject to decisions based on automated processing of their personal data, including profiling, which produces legal effects on her/him or significantly affects her/him.
In addition, it allows the data subject to obtain information and transparency about those decisions based on automated processing of personal data, obtain an explanation, request human intervention, express their point of view, and request a review of the decision.
Right to restriction of processing (blocking)
The right to restriction of processing (blocking) allows the data subject to request and obtain from the controller the temporary suspension of any processing of their personal data when its accuracy cannot be established or its validity is doubtful, and for which its suppression is not applicable.
Right to data portability
The right to personal data portability allows the data subject to request and obtain from the controller a copy of their personal data in a structured, commonly used, and machine-readable format that allows for interoperability between different systems, and to communicate or transfer them to another data controller.
In addition, the data subject has the right for their personal data to be transmitted directly from one controller to another when technically feasible.
How to exercise ARCO rights?
Controllers have the duty to implement technological mechanisms and tools that allow the data subject to exercise their rights in an expeditious, agile and effective manner.
To exercise their rights, the data subject must submit a request to the controller (directed to the email established for this purpose, a contact form, or an equivalent electronic means).
Procedure for exercising ARCO rights.
Once the request has been submitted by the data subject to the designated email address (or contact form or equivalent electronic means), the controller must acknowledge receipt and respond within a maximum period of fifteen business days from the date of receipt.
Some important points to consider are the following:
- If it is a request for rectification, suppression or objection, the data subject will have the right to request and obtain from the controller a temporary blocking of their data or the processing carried out, as appropriate.
- In case the controller denies the request totally or partially, they must justify it. This gives the data subject a period of 15 days to file a complaint before the Agency.
- If the 15-day period elapses and there has been no response from the controller, the data subject may directly file a complaint before the Agency.
Sanctions for non-compliance with ARCO rights
Depending on their severity, the Bill details various sanctions for non-compliance with ARCO rights.
- Failing to respond or responding incompletely or late to requests made by the data subject is considered a minor infringement, with fines of up to 100 UTM.
- Preventing or hindering the legitimate exercise of ARCO rights is considered a serious infringement, with fines of up to 10,000 UTM.
- Failing to comply with a resolution from the Agency regarding a data subject’s ARCO rights claim is considered a very serious infringement, with fines of up to 20,000 UTM.