2024-09-03 08:59:29
The law, which is awaiting enactment, imposes multi-million dollar fines on companies and introduces a series of rights for citizens, who will be able to prevent the misuse of their personal data.
The annoying ones spam calls in which products and services are offered to users begin to say goodbye, after the new Personal Data Protection Act was approved by Congress after seven years of processing. The initiative addresses various points, so you can review below what it consists of and how consumers can enforce their rights.
Specifically, the regulations that are awaiting promulgation will come into force 24 months after its publication. This regulation was created with the aim of protecting and regulating the processing of personal data, and to this end, the Data Protection Agencywhose body will be responsible for ensuring that the law is correctly complied with.
In addition, it includes a series of new rights that the holders of personal data will have, such as: right of access, rectification, deletion, opposition, portability and blocking of your personal data. Failure to comply with the above will result in severe penalties imposed by law on companies that handle users’ personal information.
Practical guide to understanding the new Personal Data Protection Act
The new regulations grant people a Greater control over your personal datawhich translates into Companies will no longer be able to use information as they please and will have to eliminate certain practices..
“There are various questionable practices that, with the implementation of fines, can no longer be carried out with the same freedom as they have been until now. For example, the collection and use of personal data for marketing purposes will require the explicit consent of the owners, which will put an end to the black market of databases. Likewise, sending spam for products and services by email should no longer be an option, nor should requesting the RUT number when making purchases,” Carlos Reusser, a lawyer specializing in data protection, explained to EL DÍNAMO.
In this way, companies or organizations They may use personal data only for the established purposes, for a limited time and with transparency..
“It will not be possible to automatically subscribe users to newsletters after an online purchase, nor share personal data with third parties or other related companies without the user’s consent.“, Reusser explained.
What should a person do if they keep receiving spam calls?
One of the points that stands out most within this law is the end of telephone spam. In the event that a person receives calls without having provided legal authorization, the first step to assert their rights would be to exercise the right to erasure.
“This involves contacting the company in question and request the deletion of your data. The company is obliged to respond in writing to the owner, either to his/her address or to the email address he/she has indicated, and must do so within a maximum period of 30 calendar days“, explained the lawyer expert in data protection.
Personal data: what can a citizen do if a company does not respond to a request?
If the response is not satisfactory, or if no response is received, the citizen has the right to file a complaint with the Personal Data Protection Agencyalso within a period of 30 calendar days, so that it can initiate a sanctioning procedure.
In this case, a distinction must be made between administrative and judicial resources.
At the administrative level, the so-called administrative procedure for the protection of rights before the Data Protection Agencyin the event that the application in which the rights are exercised is rejected or when it has not been responded to within the period contemplated (30 working days). On the other hand, the so-called administrative procedure for violation of law, When it comes to non-compliance or violation of the principles or the rights and obligations contemplated by the law, he said THE DYNAMOIgnacio Lopetegui, Master in Telecommunications Law, Data Protection, Audiovisual and Information Society.
On the other hand, he explained that the judicial aspect is “contemplated in cases where an appeal is sought against an administrative act of the agency that paralyzes the processing of data, or against a resolution of the agency, and a claim of illegality must be filed before the corresponding Court of Appeals, within 15 business days from the notification of the resolution or administrative act.”
Finally, the agency will determine whether the law has been violated and will apply the sanction it deems appropriate based on the severity of the violation and the other details of the case.
How can I file a complaint with the Data Protection Agency?
To materialize a claim, Carlos Reusser commented that it will be possible through the website of the Personal Data Protection Agency, as long as certain requirements are met: must be submitted in writing, no more than 30 days must have passed From the company’s response (or lack of response), it should be indicated what is being challenged and, additionally, attach all the background information on which your claim is based.
In addition, a postal address or email address or other electronic means must be indicated to receive notifications of the case.
How can you revoke consent to the use of your personal data after it has been given to the company?
First of all, it must be considered that people are free to give their consent for their personal data to be processed by third parties, but also They have the same freedom to withdraw such consent.
Under this point, Ignacio Lopetegui stated: “Consent can be revoked at any time, without the need to express any specific reason. and it must be done through the same means by which it was initially granted. Here it is important to note that it is useful to have updated and expeditious contact channels so that communication can be real and not imply an associated cost, that is, they must be free of charge.
The million-dollar fines that companies are exposed to in the new Personal Data Protection Law
The Data Protection Agency will have the power to apply sanctions for minor, serious and very serious violations.
These are the limits of fines depending on the severity of the company or organization’s non-compliance:
- Minor: fines of up to 5.000 UTM
- Serious: fines of up to 10.000 UTM
- Very serious: fines of up to 20.000 UTM
Given this, one might ask: What types of violations can be classified into each of them?
Las minor infractions They relate to partial or total non-compliance with the duty of information or transparency. For example: not providing a contact address (postal, email or electronic means) for the data controller, failing to respond, responding incompletely or out of time to requests for the exercise of rights and, in general, failing to comply with the Agency’s instructions.
Regarding the violations gravesAn example of this would be the transfer of data without the consent of the owner or for a purpose other than that for which it was authorized, processing data without the consent of the owner or without a legal basis for processing it and hindering the exercise of the rights of access, rectification, deletion, opposition or portability of the owner.
While the most serious ones include actions such as “fraudulently handling data, using it for purposes other than those consented to by the owner, violating the duty of secrecy or confidentiality in the handling of sensitive data, among other sanctions indicated by the future law,” concluded Ignacio Lopetegui.