Do you have questions? We have answers.
We are a Personal Information Management System, or "PIMS", an intermediary between individuals and entities, which allows individuals to regain control of their personal data by requesting the data subject rights granted by the EU Regulation 2016/679 (GDPR). This business model has been validated by the European Data Protection Supervisor (EDPS) in its Opinion 9/2016:
"PIMS technology may help to give individuals and consumers more control over their personal data. The EDPS encourages the European Commission to support the development of innovative digital tools such as this and take policy initiatives that inspire the development of economically viable business models to facilitate their use. Effective implementation of data protection requires technological, economical and legal initiatives, which will help us to take back control of our online identities".
The protection of personal data is a fundamental right granted by the Charter of Fundamental Rights of the European Union. According to the applicable regulation natural persons in the European Economic Area (EEA) may request from entities -public or private entities- the data protection rights provided in Articles 15 to 22 of the GDPR: (i) access, (ii) rectification, (iii) erasure, (iv) limitation of processing, (v) portability and (vi) objection.
In accordance with the applicable regulation, each application should contain:
Yes, according to the applicable regulation, the DSRs processed by Dataguardian Manager™ are signed using a qualified digital certificate issued by the Fabrica Nacional de la Moneda y Timbre - Real Casa de la Moneda (FNMT-RCM), a qualified trust service provider which, in compliance with the provisions of EU Regulation UE 910/2014 (eIDAS), identifies the identity and capacity to represent of the natural person representing Dataguardian Manager™, without the need to provide any other additional documentation.
In the same sense, the Spanish Data Protection Agency (TD/00520/2018) has said: "The digital signature has tools for verification, authentication, verification and integrity of certain data that would allow to detect forgery and manipulation of the content, being in this case, issued the digital certification by the FNMT-RCM that links its subscriber with signature verification data and confirms their identity, This certification is a document that allows you to identify yourself on the Internet and exchange information with the guarantees that only the sender and the receiver can access, therefore, EQUIFAX is reminded that the digital certification allows to securely guarantee the request for access and this request complies with the requirements set out in art. 25.1 a) of the LOPD Regulations already referred to in Fundamento de Derecho number SIX, given that the fact of denying the request by means of digital signature, would imply the denial of the competent Authority in the certification of digital signature, therefore, EQUIFAX should not have requested the correction for not being duly accredited the identity of the claimant, since it complied with the requirements demanded in the data protection regulations".
To check the validation of the digital signature contained in the application for rights processed by Dataguardian Manager™, you could use the official tool published by the European Commission under the eIDAS Regulation.
Yes, according to the applicable regulation, the DSRs processed by Dataguardian Manager™ include a specific and concrete representation mandate to exercise the right requested before the entity required by the data subject.
In this regard, the Spanish Data Protection Agency has been reiterating that:
Representation may be carried out by means of a private document, it not being necessary or obligatory for such power of representation to be granted before a notary:
AEPD (Annual Report 2001): “there is no prohibition on the exercise of the rights of access, rectification and erasure by a voluntary representative or representative of the data subject himself, since this exercise will always take place in the name and on behalf of the data subject himself, the exercise of the right by the representative being considered to be carried out by the data subject himself who confers the representation (as can be deduced a sensu contrario from the provisions of Article 1717 of the Civil Code).”
AEPD (TD/01110/2013): “On the other hand, with regard to the controversy raised, the validity or otherwise of a general power of attorney to exercise the right of access to the medical records of a third party, it should be noted that data relating to the health of individuals are specially protected data, and greater precautions must be taken when processing them or allowing access to them to third parties, which implies that a specific and concrete power of attorney is required to access said documentation (it not being necessary or obligatory for said power of attorney to be granted before a notary)."
If, in addition to the signature of the document, the data subject sends a photocopy of its identification document, it can be presumed that there is a declaration of will in favour of the power of attorney:
AEPD (Legal Report): “And in this sense, the aforementioned precept requires the provision of the two elements necessary for the exercise of the right through a representative, allowing the provision of the identification document to accredit, at least indirectly, the existence of active conduct on the part of the data subject in the sense of expressing his or her will with regard to the power of attorney. Thus, if, together with the signature of the document, the interested party submits a scanned copy of his identification document, it can be presumed that there is a declaration of will in favour of the proxy”
As required by the applicable regulation: "The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.".
Yes, as the Supervisory authorities have pointed out, each DSRs should be responded on time, even if there is no data relating to the data subject in the entity's records:
"The aforesaid rules do not allow the request to be ignored as if it had not been made, leaving it without the response that the data controllers must obligatorily issue, even in the event that there is no data on the data subject in the files of the entity or even in those cases in which it does not fulfil the requirements, in which case the recipient of the request is also obliged to request the correction of the deficiencies observed or, if appropriate, reject the request with reasons, indicating the reasons why the deletion of his data should not be considered. Therefore, the request for deletion of personal data submitted forces the data controller to give an express reply, in any case, using any means that justifies the receipt of the reply." (TD/00336/2019 and TD/00035/2020).
Yes, the exercise of the right could not be denied for the sole reason that the data subject had chosen a different channel than the one indicated by the entity, as established by the applicable regulation. Please note that the Supervisory authorities have also been expressing their opinion in line with the above: "Furthermore, while it is appropriate that the request is submitted through the address provided by the controller for the purpose of exercising the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679 or through the headquarters, the receipt of the request by any department or branch of the data controller is deemed to be a valid destination of the request, in accordance with Article 12 of the LODPGDD, which provides: "The data controller shall be obliged to inform the data subject of the means at his disposal for exercising the rights to which he is entitled. The means must be easily accessible to the data subject. The exercise of the right may not be denied on the sole ground that the data subject has chosen another means".(TD/00258/2019)
"As with the question regarding the format an access request may take, where controllers have a particular contact point or member of staff designated for handling access requests, contacting them will normally be the most efficient way for an individual to have their request responded to promptly, but it should not be considered mandatory. […] It is possible that a valid access request may be made to any member of staff of a controller. As with standard forms, a controller may encourage data subjects to contact the designated contact point, but they cannot oblige them to do so. Therefore, where a request is made to another member of staff, the clearest approach may be to forward the request to the correct contact point, whilst copying in the individual and explaining the process for handling the request." (Data Subjects Requests – FAQs)
No, as established by the European Data Protection Board: "In fact, Article 12 of the GDPR focuses on the requests made by one data subject and not on the total number of requests received by a data controller.".
In addition, Dataguardian Manager™ has implemented the measures stipulated in the applicable regulation in order to prevent that: (i) each data subject is able to exercise the same right on more than one occasion during the 6-month period before the same entity; and (ii) the DSRs are submitted through a different channel from that offered by the recipient entity which entails a disproportionate cost.
If you have any suggestions for improving the Dataguardian Manager service, we would be delighted to hear from you. Please contact us through our contact page.