What is GDPR and how can we protect our personal data?

The aim of the General Data Protection Regulation (GDPR) is to protect people’s privacy in relation to the processing of their personal data carried out by companies and the Authorities. This is a European regulation; therefore, it must be applied in Spain and in all of the countries that make up the European Union.  



The GDPR sets out a series of principles and requirements that companies or the Authorities must comply with when they process people's data. In order to do so, it establishes a set of rights that people may exercise with regard to their data of a personal nature. These are the rights of erasure, access, rectification or portability, the right not to be subject to automated decisions and restriction of processing.

What should we do if we want to exercise one of these rights?

  1. The first thing we should do is identify the data controller, which will be the company or entity that we have given our data to. If we aren’t sure and we have provided the data online, we can check the legal notice, which is always at the footer of the website we have entered.
  2. Once the controller has been identified, we have to contact them: there will normally be an email address to write to on the website or on the form we have completed with our data, although any method of communication is valid and the company or entity must accept it.
  3. Next, we will draft our request: in other words, we find out what we need the company to do with our data (erase it, modify it, etc.), we will inform them that we don’t want them to send us advertising or we will ask the question or query we have. The company has to respond within a month (if it is not a very complex issue, in which case the response may take longer) and we will have to prove our identity (for security reasons, it must be clear that we are actually who we say we are). To identify ourselves, the company may ask for details or a copy of our ID.
  4. If the company does not respond within this period or we don’t agree with the response, we can file a claim with the Spanish Data Protection Agency.