Procedure for Handling Rights Requests

Robalino Abogados Ecuador FEREC S.A. (hereinafter “Robalino Abogados”) and CPA Consulting Ecuador CPAEC S.A. (hereinafter “CPA Consultores”), collectively referred to as “the Firm,” have a simple and free communication channel to ensure that data subjects can exercise their rights in accordance with personal data protection regulations.

I. OBJECTIVE


To establish the steps to follow for responding to requests from data subjects exercising their personal data protection rights.

II. DEFINITIONS

  • Personal Data Database: An organized collection of personal data that is subject to processing, automated or otherwise, regardless of its format (physical, magnetic, digital, optical, etc.).

  • Personal Data: Any information about a natural person that identifies or makes them identifiable through reasonable means. This includes numerical, alphabetical, graphical, photographic, acoustic, personal habits, or any other type of information related to natural persons.

  • Data Protection Officer (DPO): The person responsible for informing the data controller or processor of their legal obligations regarding data protection, ensuring compliance, and acting as a liaison with the Data Protection Authority.

  • Data Protection Rights: Fundamental rights allowing individuals to control and manage their personal data, decide who can access it, and for what purpose, as well as oppose such possession or processing.

  • Data Processor: A natural or legal person, public or private entity, or authority that processes personal data on behalf of the data controller.

  • Data Controller: A natural or legal person, private entity, or public authority that determines the purposes and means of personal data processing. In this procedure, Robalino is the data controller.

  • Personal Data Processing: Any operation or set of operations that involves the collection, organization, storage, modification, consultation, communication, or any form of processing of personal data.

  • Data Subject: A natural person whose personal data is subject to processing.

III. PROCEDURE

A. Receiving Requests from Data Subjects

  1. Data subjects can initiate the procedure by submitting a request to the email: protecciondedatos@robalinolaw.com.

  2. Upon receiving a request, the Firm will respond with the necessary requirements to formalize it.

  3. The request must include:

  • The name of the data subject or their representative.

  • A copy of an identity document.

  • Details of the personal data related to the request.

  • A specific petition regarding the right to be exercised.

  • A physical or email address to receive the response.

  • Authorization if acting through a representative.

  1. The DPO will verify that the request complies with legal requirements. This includes confirming the requester’s identity, validating the provided information, and ensuring that the data in question is being processed by the Firm.

  2. If necessary, the DPO will collaborate with analysts responsible for reviewing the request and processing it accordingly.

B. Responding to the Data Subject

  1. The maximum response time is 15 days from the day following the submission of the request.

  2. If the information is incomplete, clarifications will be requested within 5 days. The data subject will have 10 days to respond; otherwise, the request will be archived.

  3. The response will be delivered using the method specified by the data subject (physical address or email).

C. Rights Available to Data Subjects

  1. Right to Information: The data subject has the right to clear information about the processing of their data.

  2. Right of Access: The data subject can request access to their personal data.

  3. Right to Update and Rectify: Data subjects can correct inaccurate or outdated data.

  4. Right to Deletion: Data subjects can request the deletion of data that is no longer necessary or has been improperly processed.

  5. Right to Object: Data subjects can object to the processing of their data, particularly for marketing purposes.

  6. Right to Data Portability: Data subjects can receive their data in a compatible format or request its transfer to another data controller.

  7. Right to Restriction: Data subjects can request a temporary halt to the processing of their data under specific circumstances.

  8. Right to Avoid Automated Decisions: Data subjects can avoid being subjected to decisions based solely on automated processing, including profiling.

D. Denial of Requests


The DPO may deny a request in the following cases:

  • The requester is not the data subject or their representative is not properly authorized.

  • The data is necessary to fulfill legal or contractual obligations.

  • The data is needed to exercise fundamental rights or protect vital interests.

E. Exercising Rights as a Data Processor


If the Firm acts as a data processor, it must immediately forward the request to the data controller within 2 days, ensuring the controller can respond within the legally mandated timeframe.

IV. FLOWCHART


The procedure includes a flowchart detailing the steps from receiving the data subject’s request to issuing the final response. If you need to visualize this information, it is available in the organization’s internal documentation.

V. ASSOCIATED DOCUMENTS

  • Personal Data Protection Policy

RIGHTS THAT DATA SUBJECTS CAN EXERCISE


Data subjects can request the execution of any of the following rights:

  • Access: Consult detailed information regarding the processing of their data.

  • Update and Rectification: Update or correct inaccurate, erroneous, false, incorrect, or imprecise data.

  • Deletion: Request the removal of data from files, records, systems, or databases.

  • Objection: Refuse the processing, use, or transfer of their personal data.

  • Portability: Receive personal data in a compatible, updated, structured, common, interoperable, and machine-readable format, or request its transfer to another controller.

  • Suspension: Request the suspension of data processing until a dispute is resolved or the accuracy of the data is verified.

  • Right to Avoid Automated Decisions: Request clarifications or challenge decisions based solely on automated processing.

REQUIREMENTS AND PROCEDURES FOR EXERCISING RIGHTS

  1. General Requirements:

  • Provide documents that verify the identity of the data subject or their legal representative.

  • Clearly specify the request, and in cases of rectification, deletion, or objection, include supporting documents.

  1. Notification Method for Responses:

  • The data subject can choose to receive the response at their physical address or specified email.

  1. Relationship with the Institution:

  • Specify the type of relationship with the institution, such as client, supplier, applicant, former employee, etc.

DENIAL OF REQUESTS


The institution may deny requests from data subjects in the following cases:

  • If the requester is not the data subject or their legal representative is not duly authorized.

  • If the data is required for fulfilling a legal or contractual obligation.

  • If the data is essential for formulating, exercising, or defending claims.

  • If the data is necessary for freedom of expression and opinion or to protect vital interests.

  • In cases of scientific, historical, or statistical research.

RESPONSIBILITY OF THE DATA PROCESSOR


When the institution acts as a data processor, it must forward the request to the data controller within 2 days to ensure the controller responds within the legally established timeframe.

PROCEDURE MODIFICATIONS


The institution reserves the right to modify this procedure at any time. Updates will be communicated through official communication channels.