Personal data: what are your rights and obligations?

More than ever we are aware of the value of our personal information, but do we know what obligations and rights protect us about our data? We analyze in this article the main aspects that current legislation includes.

Everything related to personal data and its protection is a trend in an increasingly connected society, in which this information flow constantly thanks, in large part, to new technologies.

That is why citizens should be more than ever aware of the rights and obligations that concern personal information. To collaborate in the dissemination of this issue, the Spanish Agency for Data Protection (SADP) works hard to raise awareness, a work that is worth reviewing.

In this article we will discuss the rights and obligations that affect us in this matter and that are included in the current legislation.

The GDPR and the rights to your personal data

At the European Union level, the regulation on personal data is a matter of the General Data Protection Regulation (GDPR). Approved in 2016 and mandatory since 2018, this regulation is made to standardize the regulations of the different member countries regarding data protection.

It includes the rights and obligations that we will discuss next, marking as one of its main objectives the speeding up by eliminating associated bureaucratic barriers.


Transparency: you have right to information

When some of the personal data is collected through different ways, such as web forms, paper, telephone or through an application, the person who owns that data must be duly informed of this fact.

In the event that the delivery of data is made directly, the notification will be prior to shipment, while if it is done through third parties through a legal transfer, it will have set a specific period. This notification can be made by regular mail, electronic means or notifications within an app.


This includes the right to communicate with who is treating your data. Thanks to this you can demand to know what is being done with them and for what purpose, to whom they have been sent, until when they can use them, request changes or deletions, make a claim or know where they have been obtained in the case of coming of an assignment by a third party.

To rectification

It may happen that the personal data we provide contains errors or is incomplete. That is why we can request at any time its modification in order to correct these failures or to complete the information that requires it.

It may be necessary to attach documentation verifying the authenticity of such changes.

Of opposition

Through it you can refuse the processing of the data, whether it is done for the purpose of public interest, except for exceptions that must be duly justified by the person who executes this treatment, as well as for marketing-related purposes.


It may be one of the best known by the vast majority of the population. This is responsible for the deletion of personal data. In order for it to materialize, some requirements must be met.

Among these premises, we can highlight that this information is being used illegitimately, for a goal that does not match the original, if required by some legal provision or if the right of opposition has been exercised, as previously mentioned.

To the limitation of the processing of your data

With it you can somehow limit the use of the personal data offered. There are two possible options, request the suspension of the data or request its conservation.

To the portability of your data

This right facilitates the transfer of data between those responsible for its treatment. This ensures that they are interoperable, reusable and can be read mechanically because they have a properly structured format.

Not to be subject to individualized decisions

That is, as a general rule, no decision can be taken that legally or negatively affects the person who owns the personal data based solely on the study of this information.

Cafetería del edificio de empresa


Once we know our rights, we must also know what are the obligations that must be met by those responsible for dealing with personal data. These obligations are based on a series of relative principles that we will describe together with these obligations.

Relative principles

Legality, loyalty and transparency

Protects data from illegal or malicious purposes. This guarantees that personal data is under the protection of the GDPR.

Limitation of purpose

The data must be collected and processed based on a specific objective, without forgetting, of course, that this purpose must be included in current legislation.

Data minimization

It will work only with the information that is strictly necessary to achieve the objectives set, so that no additional data will be available unreasonably.


The data must be accurate and up to date. So that appropriate actions must be taken to correct errors or update them.

Term of conservation

Personal data must be kept as long as they can be useful for the fulfillment of the purpose for which they were collected. Once this time has elapsed, they must be eliminated or act so that the owners cannot be identified through them.

Integrity and security

Appropriate technical and other actions will be applied to prevent illegal treatment, damage, loss or destruction of personal data.

Proactive responsibility

According to this, those responsible for the data must take actions such as risk analysis, communication of security flaws or a record with all the treatments received by this data.


Appropriate actions must be taken, both technical and organizational, so that the data is properly protected against theft, loss or alteration of some kind.

As we can deduce, these actions are closely linked to many of the relative principles just described.

Some of the most common and indisputable security actions are:

• Prior assessment of risks and impact.
• Communicate security breaches that are detected.
• Do not allow access to users who are not authorized to do so.
• Make backup copies of personal data.
• Encrypt information, essential when working with personal and sensitive data.

Special categories of data

It is important to highlight that there are some types of personal data that require special mention, and it is that the GDPR expressly prohibits, with exceptions, their treatment. These special data are classified into:

  • Ethnic or racial type.
  • Biometric data.
  • Health data.
  • Sexual data.

The GDPR has been a great advance in terms of rights and obligations of personal data. From Viafirma we have a high level of commitment to these regulations, having it constantly present in the development of our solutions, as is the case of Viafirma Documents.

For example, one of the most interesting aspects of Viafirma Documents in terms of personal data is the creation of mandatory reading clauses for all types of documents, providing legal certainty and peace of mind to all parties involved. Another application that we can mention is the documentary management of informed consent for sanitary treatments or laboratory research.

As we have seen, the protection of something as sensitive as personal data is of great concern to the authorities and, consequently, to companies and institutions. That is why we will remain aware to keep up to date on a topic on which we should all be perfectly informed.