Regulation (EU) 2016/679 grants every natural person a set of rights over the processing of their personal data: access to the information being processed (art. 15), rectification of inaccurate data (art. 16), erasure where the legally prescribed grounds apply (art. 17), restriction of processing (art. 18), portability of data in a structured and commonly used format (art. 20), objection to processing (art. 21) and the right not to be subject to decisions based solely on automated processing — including profiling — where those decisions produce legal or similarly significant effects (art. 22). From the controller's perspective, each of these rights entails a specific operational obligation: maintaining a channel to receive requests, verifying the identity of the requester, assessing the request against the legal bases for processing, and responding within the time and form established by article 12 of the GDPR.
Article 12 of the GDPR sets the general procedural framework: the response to the data subject must be provided without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where the complexity or volume of requests warrants it, provided the data subject is informed within the first month with reasons for the delay. The response is provided free of charge; only where requests are manifestly unfounded or excessive — in particular because of their repetitive character — may the controller charge a reasonable fee or refuse to act, but in either case the decision must be justified and communicated to the data subject, who retains the right to lodge a complaint with the AEPD (Agencia Española de Protección de Datos — Spanish Data Protection Agency). The LOPDGDD (LO 3/2018 — Ley Orgánica de Protección de Datos y garantía de los derechos digitales) supplements this regime with provisions specific to the Spanish context, in particular regarding rights in the employment sphere (art. 88 et seq.) and access to anonymised data.
The main operational challenge for SMEs and mid-sized companies is not ignorance of the rights recognised by the GDPR, but the absence of an internal procedure that enables requests to be handled in an orderly manner and within the statutory deadlines. Without an established channel, a request may arrive by email, letter, verbally or through a web form and become lost in the internal circuit before reaching the person responsible for the decision. Without clear identity-verification criteria, there is a risk of responding to someone not entitled to the information or, conversely, of imposing disproportionate burdens on the legitimate requester. Without a record-keeping system, the organisation cannot demonstrate to the AEPD that it responded on time and correctly — which may turn a process that was in fact diligent into an infringement that cannot be proved.
At Summum Consultoria we support organisations in designing and implementing a complete data subject rights management procedure: definition of the official channel for receiving requests, forms tailored to each type of right (access, rectification, erasure, objection, restriction, portability and automated decisions), identity-verification criteria proportionate to the risk, internal escalation and decision-making workflow, and response templates that meet the formal and substantive requirements of article 12 of the GDPR. The procedure is integrated into the organisation's data protection system so that every request — regardless of which employee receives it — follows the same circuit and generates the same documentary trail.
Documentation and records of every request and response are key elements for demonstrating compliance to the regulator. The accountability principle in article 5.2 of the GDPR requires the controller not only to comply with its obligations but also to be able to demonstrate that compliance. This means retaining evidence of the request received, the verifications carried out, the decision taken — including its justification if wholly or partly refused —, the response sent and the exact date of sending. Our team advises on the appropriate format and retention period for this record and assists in handling complex requests where the decision requires specific legal analysis: requests affecting third-party data, data subject to a duty of confidentiality, processing involving multiple controllers, or rights whose exercise conflicts with a legal obligation.