Empleados descansan en su tiempo de almuerzo

Personal data: what are your rights and obligations?

More than ever we are aware of the value of our personal information, but do we know what obligations and rights we have over our data? In this article we analyze the main aspects of current legislation.

Everything related to personal data and its protection is a trend in an increasingly connected society, in which this information is constantly flowing thanks, in large part, to new technologies.

That is why citizens must be more aware than ever of the rights and obligations concerning personal information. The Spanish Data Protection Agency (AEPD) is working hard to raise awareness of this issue, a task that is worth highlighting.

In this article we will discuss the rights and obligations that affect us in this matter and that are included in the current legislation.

The GDPR and your personal data rights

At the European Union level, the regulation on personal data is a matter of the General Data Protection Regulation (GDPR). Adopted in 2016 and mandatory since 2018, this regulation is made to homogenize the regulations of the different member countries in terms of data protection.

It sets out the rights and obligations that we will discuss below, and one of its main objectives is to streamline the process by eliminating the associated bureaucratic barriers.


Transparency: your right to information

When some of the personal data is collected through different ways, such as web forms, on paper, by telephone or through an application, the person who owns such data must be duly informed of this fact.

In the event that the delivery of data is done directly, the notification will be prior to shipment, while if it is done through third parties through a legal transfer, there will be a set deadline. Such notification may be made by ordinary mail, electronic means or notifications within an app.

Of access

This includes the right to communicate with whoever is processing your data. Thanks to it you can demand to know what is being done with them and for what purpose, to whom they have been sent, until when they can have them, request changes or deletions, make a claim or know where they have been obtained in the case of a transfer by a third party.

To rectification

It may happen that the personal information we provide contains errors or is incomplete. For this reason, we may at any time ask you to modify it in order to correct such errors or to complete the information that requires it.

It may be necessary to attach documentation verifying the plausibility of such changes.

Of opposition

It is possible to refuse data processing, whether it is carried out for public interest purposes, subject to exceptions that must be duly justified by the data controller, or for marketing purposes.

To oblivion

It may be one of the best known by the vast majority of the population. It deals with the deletion of personal data. In order for it to materialize, some requirements must be met.

Among these premises, we can highlight that this information is being used illegitimately, for a purpose that does not coincide with the original one, if it is required by any legal provision or if the aforementioned right of opposition has been exercised.

To the limitation of the processing of your data

With it, the use of the personal data provided can be restricted to a certain extent. There are two possible options, to request the suspension of the data or to request its conservation.

To the portability of your data

This right facilitates the transfer of data between data controllers. This ensures that they are interoperable, reusable and machine-readable because they are in a properly structured format.

Not to be subject to individualized decisions

In other words, as a general rule, no decision that legally or negatively affects the person who owns the personal data may be taken solely on the basis of the study of this information.

RGPD and personal data


Once we know our rights, we must also know the obligations that data controllers must comply with. These obligations are based on a series of relative principles that we will describe next to these obligations.

Relative principles

Fairness, loyalty and transparency

It protects data from unlawful processing or processing for malicious purposes. This ensures that personal data falls under the protective umbrella of the GDPR.

Purpose limitation

The data must be collected and processed on the basis of a specific purpose, without forgetting, of course, that this purpose must be covered by the law in force.

Data minimization

We will only work with the information that is strictly necessary to achieve the objectives set, so no additional data will be made available without justification.


The data must be accurate and up to date. Appropriate steps must be taken to correct errors or update the data.

Conservation period

Personal data must be kept as long as they can be useful for the fulfillment of the purpose for which they were collected. Once this time has elapsed, they should be deleted or action should be taken to ensure that the owners cannot be identified through them.

Integrity and security

Appropriate technical and other measures shall be implemented to prevent unlawful processing, damage, loss or destruction of personal data.

Proactive responsibility

According to it, data controllers must take measures such as risk analysis, communication of security breaches or a register with all the processing received by these data.


Appropriate technical and organizational measures must be taken to ensure that the data is adequately protected against theft, loss or alteration of any kind.

As we can deduce, these measures are closely linked to many of the relative principles just described.

Some of the most common and undisputed security measures are:

  • Preliminary risk and impact assessment.
  • Report any security breaches that are detected.
  • Do not allow access to users who are not authorized to do so.
  • Make backup copies of personal data.
  • Encrypt and encrypt information, essential when working with personal and sensitive data.

Special categories of data

It is important to highlight that there are some types of personal data that require special mention, and that the GDPR expressly prohibits, with some exceptions, their processing. These special data are classified as:

  • Ethnic or racial.
  • Biometric data.
  • Health data.
  • Data of a sexual nature.

The RGPD has meant a great advance in terms of personal data rights and obligations. From Viafirma we have a high level of commitment with this regulation, having it constantly present in the development of our solutions, as it is the case of Viafirma Documents.

For example, one of the most interesting aspects of Viafirma Documents in terms of personal data is the creation of mandatory reading clauses for all types of documents, providing legal certainty and peace of mind to all parties involved. Another application we can mention is the document management of the informed consent for health treatments or research in laboratories.

As we have seen, the protection of something as sensitive as personal data is of great concern to the authorities and, consequently, to companies and institutions. This is why we will remain up to date on a subject on which we all need to be fully informed.


    La mejor solución de firma electrónica para tu empresa

    Scroll to Top