ARCO Rights Request Spain (Solicitud de Ejercicio de Derechos ARCO / RGPD)

An ARCO Rights Request Spain (Solicitud de Ejercicio de Derechos ARCO) is the formal written application submitted by a data subject (interesado) to a data controller (responsable del tratamiento) to exercise their fundamental rights regarding personal data processing under the Reglamento General de Protección de Datos of the European Union — Reglamento (UE) 2016/679 (RGPD) — and the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD), which adapts the GDPR to the Spanish legal order. The acronym ARCO refers to the four original Spanish data protection rights — Acceso (access), Rectificación (rectification), Cancelación (cancellation/erasure), and Oposición (objection) — established under the prior Ley Orgánica 15/1999 (LOPD) and maintained in expanded form under the RGPD.

The RGPD established a thorough framework of data subject rights applicable to all processing of personal data by controllers established in the European Union, or processing data of EU residents regardless of the controller's location. The key rights available to Spanish data subjects under the RGPD include: the right of access (derecho de acceso) under Article 15 RGPD — the right to obtain confirmation of whether personal data is being processed and, if so, to receive a copy of the data and information about the processing; the right to rectification (derecho de rectificación) under Article 16 RGPD — the right to have inaccurate or incomplete personal data corrected; the right to erasure (derecho de supresión / derecho al olvido) under Article 17 RGPD — the right to have personal data deleted where it is no longer necessary for the original purpose, consent has been withdrawn, there is no legitimate basis, or the data has been unlawfully processed; the right to restriction of processing (derecho a la limitación del tratamiento) under Article 18 RGPD — the right to restrict processing in specified circumstances; the right to data portability (derecho a la portabilidad de los datos) under Article 20 RGPD — the right to receive personal data in a structured, commonly used, machine-readable format and to transmit it to another controller; and the right to object (derecho de oposición) under Article 21 RGPD — the right to object to processing based on legitimate interests or for direct marketing purposes.

The LOPDGDD supplements the RGPD with Spanish-specific provisions, including the right to digital rectification (Article 85 LOPDGDD — right to request removal of internet content linked to a person's name), the right to update personal information in digital media, and specific rights in the employment context under Articles 87 to 93 LOPDGDD — including the right to digital disconnection (desconexión digital) and the right to privacy regarding geolocation and digital monitoring in the workplace.

The Agencia Española de Protección de Datos (AEPD), established under Articles 44 to 52 LOPDGDD and the Estatuto Orgánico de la AEPD (RD 389/2021), is the independent supervisory authority (autoridad de control) responsible for enforcing data protection law in Spain. The AEPD has authority to receive complaints, conduct investigations, issue binding decisions, and impose administrative fines up to €20 million or 4% of global annual turnover for the most serious RGPD infringements under Article 83 RGPD. Spanish courts — including the Audiencia Nacional and Tribunal Supremo — have developed extensive jurisprudence on ARCO rights and RGPD compliance.

Data controllers in Spain must respond to ARCO rights requests within one month of receipt (Article 12.3 RGPD), extendable by a further two months for complex requests with notification to the data subject. Responses must be provided free of charge for reasonable requests. Controllers may refuse manifestly unfounded or excessive requests under Article 12.5 RGPD but must justify the refusal. Failure to respond, unjustified refusal, or inadequate response gives the data subject grounds to file a complaint with the AEPD under Article 77 RGPD, or to pursue judicial remedies before the Juzgado de lo Contencioso-Administrativo (for public body controllers) or civil courts (for private controllers) under Articles 79 and 82 RGPD.

An ARCO Rights Request Spain is needed whenever a natural person wishes to exercise their data protection rights against any organisation, company, or public body that processes their personal data.

The request is needed when a person suspects that an employer, former employer, or HR system holds inaccurate personal data — such as incorrect salary records, disciplinary notes, or health information — and wishes to obtain access and correct the data under Articles 15 and 16 RGPD before it affects employment decisions or references.

An ARCO Rights Request is needed when a consumer discovers that a company is using their contact details, purchase history, or profiling data for marketing purposes without valid consent or a legitimate interest — the request to object under Article 21 RGPD or erase under Article 17 RGPD requires a formal written submission to be effective and to start the one-month response deadline.

The request is needed when a credit bureau (empresa de información crediticia) such as ASNEF, CIRBE, or RAI holds incorrect or outdated debt information affecting the person's credit score — rectification and erasure rights under Articles 16 and 17 RGPD are particularly important in this context, and the AEPD has issued specific guidelines on ARCO rights against credit reference agencies.

An ARCO Request is needed when a public administration or court holds sensitive personal data — health records (datos de salud), criminal records (antecedentes penales), or social services records — and the data subject wishes to know what data is held, correct inaccuracies, or limit processing under Articles 15 to 18 RGPD.

The request is needed when an individual wishes to exercise the right to be forgotten (derecho al olvido) under Article 17 RGPD and Article 85 LOPDGDD — requesting that a search engine (such as Google or Bing) delist or remove links to information about them from search results where the information is outdated, inaccurate, or disproportionate to a legitimate public interest.

An ARCO Rights Request is needed when switching service providers and exercising data portability rights under Article 20 RGPD — for example, requesting a bank, telecommunications provider, or health insurer to provide all personal data in a machine-readable format (CSV, XML, JSON) for transfer to a new provider.

The request is also needed after any data breach (violación de seguridad) under Article 33 RGPD affecting the data subject's personal data — to obtain information about what data was compromised, what remediation measures were taken, and whether erasure or restriction of the compromised data is appropriate.

A valid ARCO Rights Request Spain under the Reglamento (UE) 2016/679 (RGPD) and Ley Orgánica 3/2018 (LOPDGDD) must contain the following elements to start the one-month response deadline and to be enforceable before the AEPD or a court.

Data Subject Identification: Full name and a copy of the DNI, NIE, or Passport — required by Article 12.6 RGPD and confirmed by the AEPD's published guidance on ARCO rights requests. Where the request is submitted by a legal representative (representante legal) of a minor, incapacitated person, or deceased person's heir, the representative's identity document and evidence of representation must be included.

Data Controller Identification: The full name, address, and NIF/CIF of the organisation (responsable del tratamiento) — company, employer, public body, health service, financial institution, or other entity — to which the request is directed. The data controller's contact details and, where applicable, the contact details of their Data Protection Officer (Delegado de Protección de Datos — DPD), if publicly designated, should be used to confirm proper routing of the request.

Specific Right Being Exercised: A clear statement of which RGPD right is being exercised — access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), or objection (Article 21) — with a brief explanation of the relevant processing activity and the reason for the request. A single ARCO form may exercise multiple rights simultaneously.

Description of Personal Data Concerned: For rectification requests, identification of the specific inaccurate data and the correct version, with supporting evidence where available. For erasure requests, identification of the specific data to be deleted and the ground for erasure — no longer necessary for the original purpose, withdrawal of consent, unlawful processing, or compliance with a legal obligation. For access requests, the scope of the access sought (all data, or data from a specific processing context).

Processing Activities Identified: Identification of the specific processing activities to which the request relates — HR data, marketing profiling, credit records, health data, CCTV footage, call recordings, etc. — to allow the data controller to locate the relevant data efficiently and respond accurately.

Preferred Response Format and Channel: Specification of the preferred response format — electronic copy of the data, written confirmation, or digital extract — and the response channel (email, postal address, or the controller's electronic office). Article 12.1 RGPD requires responses in clear and plain language.

Date and Signature: The date of the request and the data subject's signature (handwritten or qualified electronic signature). Electronic signatures compliant with Reglamento (UE) 910/2014 (eIDAS) — certificate-based or advanced electronic signature — are acceptable for requests submitted through the data controller's electronic channel.

Forms-legal.com provides this ARCO Rights Request Spain template as a practical tool for individuals exercising their RGPD rights. If the data controller fails to respond within one month, or provides an inadequate or unjustified refusal, the data subject may file a complaint with the Agencia Española de Protección de Datos (AEPD) at aepd.es, free of charge, and may also seek judicial remedies under Article 79 RGPD.

Key institutions: the Agencia Española de Protección de Datos (AEPD) is the Spanish supervisory authority under Article 51 RGPD and Articles 44 to 52 LOPDGDD. The AEPD's online complaint portal processes ARCO rights complaints and has the power to impose fines up to €20 million or 4% of global turnover. Catalan data has dual supervision from the AEPD and the Autoritat Catalana de Protecció de Dades (APDCAT). The Comité Europeo de Protección de Datos (EDPB) issues binding guidance on RGPD rights applicable across all EU Member States.