Personal data can only be processed with the consent of its owner, which must be prior, informed, express and unequivocal.
Consent may be obtained through written or verbal means. In the case of sensitive data, consent must be given in written form.
The data controller must comply with the following information on the data subjects: (i) the identity and address of the data controller and data processor, if applicable, (ii) the purpose of the personal data processing, (iii) who the recipients may be (national or international transfers), (iv) the existence of the data bank where the information will be stored, (v) the mandatory or optional nature of the proposed questionnaire, (vi) any consequences of providing personal data and any refusal to do so, (vii) transfer of personal data, (viii) time holding personal data, and (ix) means and possibility of exercising rights of access, rectification, opposition and cancellation.
The data controller and the data processor, when applicable, must comply with the following obligations:
- Not to collect personal data by fraudulent, unfair or illegal means;
- Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
- Not to use personal data for any means other than the those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
- Store personal data in such a manner that allows data subjects to enforce their rights;
- Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
- Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
- Provide the information that the DPA requests.