Data Protection Rights Request Spain

A Data Protection Rights Request Spain (Solicitud de Ejercicio de Derechos de Protección de Datos) is the formal document submitted by an individual (interesado or titular de los datos) to an organisation acting as data controller (responsable del tratamiento) to exercise one or more of the data subject rights established under the General Data Protection Regulation — Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016 (RGPD or GDPR) — and the Spanish implementing legislation, the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

The data subject rights exercisable under the GDPR and LOPDGDD are commonly referred to in Spain as derechos ARCO+ — an acronym covering: Acceso (Access — Article 15 GDPR), Rectificación (Rectification — Article 16 GDPR), Supresión (Erasure/Right to be Forgotten — Article 17 GDPR), Oposición (Objection — Article 21 GDPR), Limitación del tratamiento (Restriction of Processing — Article 18 GDPR), and Portabilidad (Data Portability — Article 20 GDPR). The LOPDGDD Article 12 establishes the procedural framework for exercising these rights in Spain, including the identity verification requirements, response timeframes, and the supervisory role of the Agencia Española de Protección de Datos (AEPD).

The AEPD (Agencia Española de Protección de Datos) is the Spanish data protection supervisory authority under Article 55 GDPR and Article 43 LOPDGDD, responsible for enforcing the GDPR and LOPDGDD, investigating complaints, issuing guidance, and imposing fines for non-compliance. The AEPD can impose administrative fines of up to €20 million or 4% of the organisation's total annual global turnover (whichever is higher) for serious GDPR infringements under Article 83 GDPR, and up to €10 million or 2% of global turnover for less serious infringements.

The data controller must respond to a data subject rights request within one calendar month of receipt under Article 12.3 GDPR — this period may be extended by a further two months for complex requests, but the data subject must be informed of the extension within the initial one-month period. The response must be provided free of charge, in the same language as the request where possible, and through accessible means. If the controller refuses to act on a rights request, it must provide reasons for the refusal and inform the data subject of their right to lodge a complaint with the AEPD.

The Solicitud de Ejercicio de Derechos is the standard mechanism for invoking these rights — it creates a formal record of the request, triggers the controller's response obligation, and provides the evidence necessary for any subsequent AEPD complaint (reclamación ante la AEPD) or court action if the controller fails to respond or refuses the request without justification. The LOPDGDD Article 12 requires data controllers operating in Spain to provide a procedure for receiving rights requests — typically through a designated contact email, postal address, or online form.

The legal framework governing the Data Protection Rights Request Spain in Spain draws on several key statutes and regulatory bodies. Under Spanish law, the Constitución Española 1978 is the supreme law. The Código Civil governs contractual obligations under Article 1255 (libertad de pactos). The AEAT administers taxation. The Juzgados de Primera Instancia have general civil jurisdiction. The Ley 39/2015 governs administrative procedure. The LOPDGDD (LO 3/2018) and RGPD govern data protection through the Agencia Española de Protección de Datos (AEPD). Parties executing a Data Protection Rights Request Spain in Spain should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Ley Orgánica 3/2018 de Protección de Datos Personales (LOPDGDD) art. 12 sets the foundational requirements.

A Data Protection Rights Request Spain is needed when an individual wants to know what personal data an organisation holds about them — exercising the right of access (derecho de acceso) under Article 15 GDPR to receive a copy of all personal data processed, the purposes of processing, the categories of data, recipients, retention periods, and safeguards for international transfers.

The solicitud is required when an individual wants to correct inaccurate personal data — exercising the right of rectification (derecho de rectificación) under Article 16 GDPR, for example correcting a wrong address, date of birth, or name held in a company's database, credit register, or public administration records.

The Spain Data Protection Rights Request Spain document is needed when an individual wants to have their personal data deleted — exercising the right to erasure or right to be forgotten (derecho de supresión) under Article 17 GDPR, applicable when the data is no longer necessary for the original purpose, consent has been withdrawn, or the data has been unlawfully processed.

The request is required when an individual objects to the processing of their personal data for direct marketing purposes (oposición al marketing directo) under Article 21.2 GDPR — the controller must stop processing the data for marketing immediately without requiring justification.

The solicitud is needed when an individual wants to obtain their personal data in a machine-readable format for transfer to another service provider — exercising the right of data portability (derecho a la portabilidad) under Article 20 GDPR, applicable where processing is based on consent or on a contract.

The request is also required when lodging a complaint with the AEPD — the AEPD requires evidence that the data subject first addressed the controller directly before filing a reclamación. The Solicitud de Ejercicio de Derechos and the controller's response (or failure to respond) form the primary evidence for any AEPD complaint.

Public administrations (Administraciones Públicas), healthcare providers, banks, telecommunications companies, social media platforms, and employers are the most common recipients of data protection rights requests in Spain. The LOPDGDD contains specific provisions for rights requests addressed to public administrations under Articles 26 to 28 LOPDGDD.

Parties in Spain should prepare a Data Protection Rights Request Spain proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Spanish law, the Constitución Española 1978 is the supreme law. The Código Civil governs contractual obligations under Article 1255 (libertad de pactos). The AEAT administers taxation. The Juzgados de Primera Instancia have general civil jurisdiction. The Ley 39/2015 governs administrative procedure. The LOPDGDD (LO 3/2018) and RGPD govern data protection through the Agencia Española de Protección de Datos (AEPD). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A valid Data Protection Rights Request Spain under Article 12 of the Ley Orgánica 3/2018 (LOPDGDD) and Articles 15 to 22 of the GDPR (Reglamento UE 2016/679) must contain the following elements to constitute a valid and actionable request.

Data Subject Identification: Full name and a copy of the data subject's identity document — DNI, NIE, or passport — to allow the data controller to verify the identity of the requesting person. The LOPDGDD Article 12.2 requires identity verification to prevent fraudulent rights requests. The copy of the identity document should be provided as an attachment — a front-and-back scan or photograph of the DNI or NIE is standard practice in Spain.

Controller Identification: Full legal name, registered address, and, where applicable, the Data Protection Officer (Delegado de Protección de Datos — DPO) contact details of the organisation to which the request is addressed. Under Article 37 GDPR, certain organisations are required to designate a DPO — including public authorities, organisations engaged in large-scale systematic monitoring, and those processing special categories of data at scale.

Right(s) Being Exercised: A clear statement of which right(s) the data subject wishes to exercise — access, rectification, erasure, restriction, portability, or objection — with sufficient specificity to enable the controller to process the request. If multiple rights are being exercised simultaneously, each should be identified and, where relevant, the grounds for exercising each right stated.

Description of Data at Issue: Where relevant, a description or identification of the specific personal data to which the request relates — for example, data held in a specific account, contract, or database. For access requests, the data subject may specify the categories of data or the processing activities of concern. For rectification requests, the correct information should be clearly stated alongside the incorrect data to be corrected.

Legal Basis for the Right: Reference to the specific GDPR article being invoked — Article 15 (access), 16 (rectification), 17 (erasure), 18 (restriction), 20 (portability), or 21 (objection) — together with the factual basis, particularly for erasure requests (data no longer necessary, consent withdrawn, unlawful processing) and objection requests (compelling legitimate grounds).

Preferred Response Format and Channel: The data subject may specify a preferred response format (electronic or postal) and language. Under Article 12.1 GDPR, the controller must provide the response in a concise, transparent, intelligible, and easily accessible form, using clear and plain language (lenguaje claro y sencillo).

Date and Signature: The date of submission and the data subject's signature (or qualified electronic signature — firma electrónica cualificada — for electronic submissions under the Ley 6/2020 de Firma Electrónica). The date triggers the controller's one-month response period under Article 12.3 GDPR.

Forms-legal.com provides this Data Protection Rights Request Spain template as a practical tool for individuals and compliance teams. For requests addressed to public administrations, the request may be filed through the Sede Electrónica of the relevant Administración Pública using a certificado digital or Cl@ve PIN. If the controller fails to respond within one month or refuses the request without justification, the data subject may lodge a reclamación with the AEPD (aepd.es) or bring a judicial action before the competent court under Article 79 GDPR.

The Agencia Española de Protección de Datos (AEPD) supervises GDPR and LOPDGDD compliance in Spain. The AEPD's Sede Electrónica provides model rights request forms and an online complaint portal. GDPR fines in Spain can reach €20 million or 4% of global annual turnover for the most serious infringements. Data subjects may also claim compensation for material or non-material damage caused by GDPR infringements under Article 82 GDPR before the Juzgados de Primera Instancia.