Despite the absence of cross-cutting national regulations, since the GDPR (General Data Protection Regulation) came into force a year ago and several data breach scandals involving multinational technology companies, the protection of personal data has become a hot topic.
This year, the first draft bill of the Organic Data Protection Bill[1] was published. Before analyzing the most technical and controversial aspects of it, it is important to understand the basics of personal data.
Previously we discussed what data protection is[2], now it is time to talk about the background to these rights. As the owner of my personal data, what rights help me? As the person in charge of this data, what are my obligations and restrictions?
Many will have heard of the ARCO rights. ARCO stands for Access, Correction, Cancellation and Opposition. These are the main rights of data subjects that are guaranteed in multiples laws, including the Constitution[3]. These mean that any person may ask whoever processes personal data for access to their data, to know what information is held and for what purpose; the correction of any incorrect or inaccurate data, the cancellation of such information and to object to the use thereof.
The draft bill published this year includes the ARCO rights and also the right to transparency[4], erasure[5] and portability[6]. The right to transparency and erasure go hand in hand with the ARCO, however, the right to portability is a new right and a term that was previously used to refer more to mobile handsets.
The right to portability is the right of the data subject to receive their personal data that they had previously provided in a machine-readable format and transmit that data to another controller without needing to repeat administrative and technical processes, so that the data ultimately belongs to the owner and not the processor or controller.
It is essential that these rights are not just known by the subjects of personal data, but by all those who handle the data whether processors or controllers, as they must guarantee the data and have the necessary means to comply when the data subject decides to exercise these rights.
[1] http://www.datospublicos.gob.ec/programas-servicios/servicios/anteproyecto-de-ley-de-proteccion-de-datos/
[2] https://www.pbplaw.com/es/que-significa-la-proteccion-de-datos-personales/
[3] Constitution of the Republic of Ecuador, Art. 92.
[4] Draft Bill – Organic Law for Personal Data Protection, art. 20
[5] Draft Bill – Organic Law for Personal Data Protection, art. 26
[6] Draft Bill – Organic Law for Personal Data Protection, art. 27
Camila Mateus-Villagómez