Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Employees, as well as other individuals whose personal data is being processed in Chile, have the right to demand from employers (Individual Access right, Personal Data Protection Law):
- copies of any personal data about themselves;
- who at the organization is responsible for processing their personal data;
- the origin and the recipient of their personal data;
- the purpose of the storage and processing; and,
- the identities of the persons to whom their personal data is regularly transmitted (such as 3rd parties).
In cases where personal data has been proven to be inaccurate, incomplete or erroneous, individuals have the right to request correction. Where there is no legal basis to hold data, or the legal basis expired, individuals can demand that their personal data should be deleted.
Employees (and other individuals) can request copies of their personal data along with copies of corrections to their data. Employers cannot charge data subjects when making deletions, modification or amendments to their personal data.
Employers must fully comply with requests for access within two business days. If the employer doesn’t respond within that time, the individual making the request can apply to the court for an order requiring access. The only exception is where the reason for the delay, or refusal to comply with the request, is based on national security or national interest. The lack of timely delivery of information or the delay in making the modification, in the form ordered by the Court, can be punished with a fine between 2 to 50 monthly tax units (MTU).
HR Best Practices: Ensure processes are in place that allow those in charge of personal data to reply to access requests within two business days. Properly notify employees and job applicants as to how they can reach out to the company to request changes to their personal information. Upon receipt of an access request, verify the individual’s identity prior to sharing any information.