The Law provides a set of rights called “ARCO rights”, that refer to the rights of Access, Rectification, Cancellation and Objection, that data owners can exercise against the processing of their personal data by private parties. In particular,
(1) Article 25 provides that "the data owner will at all times have the right to cancel his personal data. Cancellation of personal data will lead to a blocking period following which the data will be erased. The data controller may retain data exclusively for purposes pertaining to responsibilities arising from processing. The blocking period will be equal to the limitation period for actions arising from the legal relationship governing processing pursuant to applicable law. . . .."
(2) Article 26, however, clarifies that "the data controller will not be obligated to cancel personal data when: I. It relates to the parties of a private or administrative contract or partnership agreement and is necessary for its performance and enforcement; II. The law requires that it be processed; III. Such action hinders judicial or administrative proceedings relating to tax obligations, investigation and prosecution of crimes, or updating of administrative sanctions; IV. It is necessary to protect the legally protected interests of the data owner; V. It is necessary to carry out an action in the public interest; VI. It is necessary to fulfill an obligation legally undertaken by the data owner, and VII. It is subject to processing for medical diagnosis or prevention or health services management, provided such processing is done by a health professional subject to a duty of secrecy.
(3) Article 27 states that "data owners will, at all times and for any legitimate reason, have the right to object to the processing of their data. Where appropriate, the data controller may not process such data owner's data."
Topic, claim, or defense
Privacy or Data Protection
Type of service provider
General or Non-Specified
OSP obligation considered
Block or Remove
Type of law