On October 25, 2024, the Data Protection Authority (“SPDP”) issued Resolution No. SPDP-SPDP-2024-0013-R, enacting the Regulation on the Submission and Processing of Complaints and Requests for Data Protection (“Regulation”).

The main points are below:

  1. Purpose and Scope of the Regulation

The Regulation governs the submission and processing of complaints and requests before the SPDP following the principles of expeditiousness, lawfulness, timeliness, transparency, good faith, objectivity, effectiveness, efficiency, and quality.

This Regulation applies when:

  • The exercise of the data subjects’ rights has been violated.
  • Data protection principles have been breached.
  • The data controller or processor has failed to comply with obligations set forth in the data protection regulatory framework.
  1. Complaints and Requests
  • Complaint: A mechanism by which an individual or an entity notifies the SPDP of an alleged violation of data protection regulations, such as the improper use of personal data, security breaches, or unlawful practices.
  • Request: A petition filed by a data subject to address a specific issue related to processing their personal data, such as a lack of response or improper data handling. The objective is to request that the controller or processor correct their actions, recommend corrective measures, or initiate an administrative sanction procedure.
  1. Submission of Complaints and Requests

Complaints and requests may be submitted physically at the SPDP offices or electronically through the channels made available.

  1. Complaint Procedure

Once a complaint is submitted, the SPDP may initiate preliminary actions or impose provisional protective measures to safeguard the data subject’s rights. These measures may include:

  • Withdrawal of products, documents, or other goods.
  • Access limitations or restrictions.
  • Removal of individuals.
  • Suspension of the processing activity.
  • Closure of establishments.

During the preliminary proceedings, the SPDP will:

  • Identify the alleged perpetrator(s).
  • Establish the specific circumstances of the case.
  • Determine relevant contributing factors.
  • Assess whether sufficient grounds exist to initiate an administrative procedure.

If necessary, the SPDP may order further investigations, inquiries, audits, or inspections to clarify the facts. The administrative act initiating the preliminary action will be notified to the investigated party in accordance with the Administrative Code (“COA”).

Once the preliminary actions are completed the SPDP will issue an initial report which will be notified to the investigated party. The party will have ten working days from the date of notification to submit its response.

If no response is provided within the given term, the preliminary report will have full legal effect and become the final report, concluding the initial actions.

The SPDP has a maximum of six months from the issuance of the administrative act to decide whether to initiate an administrative sanctioning procedure.

  1. Request Procedure

Requests submitted by data subjects must meet the requirements established in the Regulation. If the request is incomplete or unclear, the SPDP will order the petitioner to amend or clarify it within five days of notification. Failure to do so will result in the request being archived.

The SPDP will assess whether the request falls within its jurisdiction and, if necessary, may open a thirty-day evidentiary period during which the data subject and controller may submit additional evidence.

Within twenty days following the conclusion of the evidentiary period, the SPDP will issue a report that may contain:

  1. A recommendation on whether or not to initiate an administrative sanction procedure.
  2. A recommendation regarding the corrective measures to be implemented.

Corrective measures and administrative sanction procedures will be governed by the provisions of the COA, Data Protection Law, the Regulations to the Data Protection Law, and any other applicable regulations issued by the SPDP.

The Regulation came into effect on October 25, 2024.

 

Rafael Serrano, Partner at CorralRosales
rserrano@corralrosales.com
+593 2 2544144

© CORRALROSALES 2024
NOTE: This bulletin is for informational purposes only. CorralRosales shall not be liable for any loss or damage resulting from acting or failing to act based on the information contained herein. For any specific situation, it is recommended to obtain the corresponding legal opinion.

CORRALROSALES