Exercise of ARCO Rights in the Personal Data Bill

One of the main challenges that organizations will face is to comply in a timely manner with the requests for ARCO Rights that may be exercised by the data subject. This is one of the main pillars of this new regulation, so it is essential that data controllers know and effectively implement procedures to comply with the regulation.

Brief context: Law 19.628

ARCO rights[1], i.e. the rights conferred on data subjects to protect their personal data, are enshrined in our current legislation. In fact, Law No. 19,628 (a regulatory body dating from 1999) regulates the rights of information, modification, cancellation and blocking, in addition to conferring on the data subject a judicial claim procedure in the event of non-response or improper denial of a request by the controller.

Despite the fact that these rights and their procedure are contained in the current legislation, their exercise has been limited, mainly for two reasons: (i) the absence of a specialized supervisory authority in the matter, and (ii) the low fines associated with the failure to pronounce on the data subject’s request or its denial for reasons other than those established in the law, that do not exceed UTM 10 (USD 704 approx.), or UTM 50 (USD 3,525 approx.) in the event of an economic, banking or commercial infraction.

New Personal Data Law

The new Personal Data Law constitutes a radical change in terms of ARCO rights, both for the data subjects and the controllers in charge of processing and resolving these requests.

The possibility that data subjects can file complaints directly with a specialized supervisory authority, such as the Personal Data Protection Agency, and not before a civil court, as established in current legislation, will generate an unprecedented change at the cultural and compliance level.

Due to the above, it is important that controllers implement adequate procedures and protocols to receive and respond to requests for ARCO rights appropriately.

Protocol for receiving applications

Any protocol for receiving applications should structure the mechanisms and technological tools for receiving applications. Under the new Personal Data Law, controllers must ensure that these mechanisms are simple and allow the data subject to exercise their rights in a prompt, agile and effective manner. For these purposes, it is advisable to have a specific email address for these purposes, a contact form or other equivalent electronic means.

It is also recommended that the protocol contemplates an updated record of the requests received to follow up on the dates committed to their response.

Another relevant aspect that the protocol must contemplate are the mechanisms to verify the identity of the person making the request, in addition to other aspects regulated by the new Personal Data Law, such as the exercise of rights by the heirs of a deceased person, among other aspects.

Request Response Protocol

Every request response protocol should establish the roles and stages necessary to manage an ARCO rights request within the organization. While some of these requests will be relatively easy and quick to manage, others will involve significant human and economic resources of the controller. That is where the need to have a protocol lies to be able to foresee this type of situation.

Some important points to consider in this protocol are the following:

It should address the possible scenarios in which it is possible to deny the response to a request, depending on the cases in which the law excludes processing them. These situations must be duly analyzed, and the decision justified on a legal basis, since the data subject has a legal period to claim this decision and go before the Personal Data Protection Agency.
The protocol should establish different stages, according to internal deadlines determined by each organization. It should not be forgotten that the new Personal Data Law extends the deadline for responding to requests, from 2 working days, according to current legislation, to 30 calendar days, extendable in the same period.
Without prejudice to the fact that ARCO rights are free of charge, the protocol may consider requiring payment of the direct costs incurred in responding to a request. This case is only provided for regarding the right of access and portability when exercised more than once in the quarter.

[1] They are called "ARCO" rights since their name refers to the initial of each of these rights: right of access, rectification, cancellation and opposition. Notwithstanding the above, new rights have been incorporated in other jurisdictions, such as the right of portability or the right to object to automated decisions. In view of the foregoing, this concept should not be limited to the rights initially recognized.

AUTHORS: José Ignacio Mercado, Iván Meleda, Gabriela García.

Política de privacidad

Carey y Cía Ltda. (“Carey”) se compromete a respetar su privacidad. Usted no está obligado a facilitar ninguna información personal al consultar nuestro sitio web. Sin embargo, puede optar por comunicarse con nosotros completando el formulario disponible en la sección “Contacto” de este sitio, en cuyo caso y para efectos de poder responderle adecuadamente, se le pedirá que proporcione su nombre y dirección de correo electrónico, y acepte en forma expresa esta política de privacidad. En ese evento, haremos tratamiento de sus datos sólo para comunicarnos con usted y poder brindarle la información que usted ha solicitado. No compartiremos su información personal con ningún tercero, excepto cuando sea requerido por ley. También podemos utilizar sus datos para comunicarnos con usted para preguntarle si le gustaría recibir información sobre nuestros eventos, publicaciones y otros servicios que podrían ser de su interés. Sin embargo, no lo añadiremos a ninguna de nuestras listas de distribución de correos sin su consentimiento expreso. Usted también puede registrarse por sí mismo para recibir nuestras alertas legales en la sección de News Alerts disponible en nuestro sitio.

Una “cookie” es un pequeño archivo de datos que puede ser colocado en el disco duro de su computador o en un servidor web. Estas cookies no recuperan la información almacenada en su disco duro y no causan daño ni a su equipo ni a los archivos que se guardan en ella. Usted no está obligado a aceptar cookies, y de hecho, puede modificar su navegador para que no las acepte. Utilizamos cookies para que nuestro sitio web reconozca su idioma preferido, el cual es seleccionado a partir de una visita anterior a nuestro sitio. También realizamos un seguimiento a las pautas de navegación de nuestros usuarios a través de nuestra página web, con el fin de evaluar y mejorar el sitio. Utilizamos esta información para recopilar datos estadísticos sobre el uso de nuestro sitio web, pero dicha información se utiliza de forma anónima, agregada y usted no puede ser identificado a partir de ella. Cuando usted visita nuestro sitio web, nuestro servidor registra su dirección IP junto con la fecha, hora y duración de su visita. Una dirección IP es un número asignado, similar a un número de teléfono, que le permite a su computador comunicarse a través de Internet. Analizamos estos datos para obtener tendencias estadísticas, y luego los descartamos.