One of the main challenges that organizations will face is to comply in a timely manner with the requests for ARCO Rights that may be exercised by the data subject. This is one of the main pillars of this new regulation, so it is essential that data controllers know and effectively implement procedures to comply with the regulation.
Brief context: Law 19.628
ARCO rights[1], i.e. the rights conferred on data subjects to protect their personal data, are enshrined in our current legislation. In fact, Law No. 19,628 (a regulatory body dating from 1999) regulates the rights of information, modification, cancellation and blocking, in addition to conferring on the data subject a judicial claim procedure in the event of non-response or improper denial of a request by the controller.
Despite the fact that these rights and their procedure are contained in the current legislation, their exercise has been limited, mainly for two reasons: (i) the absence of a specialized supervisory authority in the matter, and (ii) the low fines associated with the failure to pronounce on the data subject’s request or its denial for reasons other than those established in the law, that do not exceed UTM 10 (USD 704 approx.), or UTM 50 (USD 3,525 approx.) in the event of an economic, banking or commercial infraction.
New Personal Data Law
The new Personal Data Law constitutes a radical change in terms of ARCO rights, both for the data subjects and the controllers in charge of processing and resolving these requests.
The possibility that data subjects can file complaints directly with a specialized supervisory authority, such as the Personal Data Protection Agency, and not before a civil court, as established in current legislation, will generate an unprecedented change at the cultural and compliance level.
Due to the above, it is important that controllers implement adequate procedures and protocols to receive and respond to requests for ARCO rights appropriately.
Protocol for receiving applications
Any protocol for receiving applications should structure the mechanisms and technological tools for receiving applications. Under the new Personal Data Law, controllers must ensure that these mechanisms are simple and allow the data subject to exercise their rights in a prompt, agile and effective manner. For these purposes, it is advisable to have a specific email address for these purposes, a contact form or other equivalent electronic means.
It is also recommended that the protocol contemplates an updated record of the requests received to follow up on the dates committed to their response.
Another relevant aspect that the protocol must contemplate are the mechanisms to verify the identity of the person making the request, in addition to other aspects regulated by the new Personal Data Law, such as the exercise of rights by the heirs of a deceased person, among other aspects.
Request Response Protocol
Every request response protocol should establish the roles and stages necessary to manage an ARCO rights request within the organization. While some of these requests will be relatively easy and quick to manage, others will involve significant human and economic resources of the controller. That is where the need to have a protocol lies to be able to foresee this type of situation.
Some important points to consider in this protocol are the following:
- It should address the possible scenarios in which it is possible to deny the response to a request, depending on the cases in which the law excludes processing them. These situations must be duly analyzed, and the decision justified on a legal basis, since the data subject has a legal period to claim this decision and go before the Personal Data Protection Agency.
- The protocol should establish different stages, according to internal deadlines determined by each organization. It should not be forgotten that the new Personal Data Law extends the deadline for responding to requests, from 2 working days, according to current legislation, to 30 calendar days, extendable in the same period.
- Without prejudice to the fact that ARCO rights are free of charge, the protocol may consider requiring payment of the direct costs incurred in responding to a request. This case is only provided for regarding the right of access and portability when exercised more than once in the quarter.
[1] They are called "ARCO" rights since their name refers to the initial of each of these rights: right of access, rectification, cancellation and opposition. Notwithstanding the above, new rights have been incorporated in other jurisdictions, such as the right of portability or the right to object to automated decisions. In view of the foregoing, this concept should not be limited to the rights initially recognized.