How to respond to ARSOP rights requests under Law 21.719: process, deadlines and templates.

Exercising rights is the moment when data protection stops being theory and becomes a concrete interaction with a person. Law 21.719 strengthens these rights and, with them, data subjects' expectations. A prepared company handles them as a trust opportunity; one that improvises experiences them as a threat.

In this operational guide you'll see each right, the step-by-step response flow, how to handle deadlines and identity verification, when you can refuse, and a template ready to adapt. To locate this front within the full program, check the compliance checklist.

1. What ARSOP rights are

ARSOP is the acronym for the rights Law 21.719 grants to data subjects: Access, Rectification, Suppression, Opposition and Portability. They are the extended version of the classic ARCO rights (Access, Rectification, Cancellation and Opposition): the “S” for suppression is equivalent to the former cancellation, and portability is expressly added. The law also contemplates blocking the processing in certain cases.

The underlying principle is simple: people keep control over their data even after handing it to us, and the organization must facilitate —not hinder— that control.

2. Each right in detail

• Access: the data subject can learn what data of theirs you process, for what purpose, where it came from and with whom it's shared. The most frequent and, often, the gateway to the others.
• Rectification: they can request correction of inaccurate, outdated or incomplete data.
• Suppression: they can request deletion of their data when it's no longer necessary, they withdraw consent or the processing doesn't comply with the law (with the legal exceptions).
• Opposition: they can object to a specific processing, for example to receiving marketing communications or to profiling.
• Portability: they can request their data in a structured, commonly used format to reuse it or move it to another controller.
• Blocking: the temporary suspension of processing while a request or dispute is resolved. A temporary blocking request must be answered within a short window —2 business days—, so an expedited procedure is advisable.

3. The step-by-step response flow

An orderly process turns each request into a predictable sequence:

• 1. Receipt: receive the request through a defined channel and acknowledge it immediately.
• 2. Identity verification: confirm the requester is indeed the data subject (or their representative).
• 3. Recording: log the request, the date and the response deadline.
• 4. Search and assessment: locate the data in your systems (the RoPA is key here) and assess whether the right applies or an exception does.
• 5. Resolution: execute the action (deliver, correct, delete, block, export) or substantiate the refusal.
• 6. Response and documentation: respond to the data subject clearly and keep evidence of the whole process.

4. Deadlines and how to count them

The law sets a defined deadline, counted in business days, to answer rights requests, and a shorter one —2 business days— to resolve temporary blocking. Beyond the exact count, what's assessed is that you respond on time and without undue delay. We recommend three habits that reduce risk:

• Acknowledge receipt immediately, indicating the request is being handled.
• Set an internal response date and assign an owner, so no request is left without one.
• Communicate progress when a request is complex or needs more time than usual.

The clock runs from the moment the request is valid (identity verified). That's why verification should be agile: stalling it only delays everything and damages the data subject's experience.

5. Identity verification

Before delivering or modifying data, you must be reasonably sure who is on the other side. Delivering data to the wrong person is, in itself, a breach. Good practices:

• Ask for the minimum data needed to verify; don't take the chance to collect more.
• Adjust the verification level to the sensitivity of what's requested.
• Define how representation is proven when someone acts on another's behalf.
• Document the verification method used in each case.

6. When you can refuse

Not all rights are absolute. A request can be refused —always on reasoned and documented grounds— when there is a legal cause, for example:

• There is a legal obligation to keep the data (tax, labor, etc.).
• The data is necessary for the exercise or defense of claims.
• Fulfilling the request would affect third parties' rights.
• The request is manifestly unfounded or excessive, for example, repetitive without cause.

The key is that the refusal is never silent: the data subject is informed, the reason is explained and a record is kept. A well-grounded refusal is defensible; a refusal without explanation is non-compliance.

7. Response template

A starting point you can adapt to your organization and to each type of right:

Dear [name],

We have received your request for [access / rectification / suppression / opposition / portability] of personal data, submitted on [date]. After verifying your identity, we inform you of the following:

[Outcome: detail of the data / confirmation of the correction or deletion / delivery of the portability file / grounds for the refusal, as applicable.]

If you have questions about this response, you can contact us at [channel]. You may also approach the Personal Data Protection Agency if you believe your rights have not been respected.

Sincerely,
[Owner / Data Protection Officer] — [Organization]

8. How to build a process that scales

Handling one request a month by hand is feasible. Handling dozens is not. As volume grows —or after a campaign, a breach or a news story— requests arrive in waves. A sustainable process combines:

• A single, known channel to receive requests.
• Defined flows and owners, with deadlines and records.
• An up-to-date RoPA that lets you find data fast.
• Rights management technology (DSAR) that automates intake, verification, tracking and evidence.

Privacy management platforms like OneTrust are built precisely for this. We look at how they fit into a real program in OneTrust implementation in Chile.

Frequently asked questions

What are ARSOP rights?

The acronym for the rights Law 21.719 grants to data subjects: Access, Rectification, Suppression, Opposition and Portability. They extend the classic ARCO rights (Access, Rectification, Cancellation and Opposition) by expressly incorporating data portability.

Within what deadline must you respond?

The law sets a defined deadline, counted in business days, to answer rights requests, and a shorter one —2 business days— to resolve temporary blocking. The recommended approach is to acknowledge receipt immediately, verify the requester's identity and provide a reasoned response within the deadline. If a request is especially complex, it's good practice to inform the data subject of its status.

Can you charge for handling a request?

As a general rule, exercising rights is free for the data subject. Only in narrow cases —for example, manifestly unfounded or excessive requests, particularly repetitive ones— could an exception be justified, and it must be supportable.

When can you refuse a request?

On reasoned grounds, when there is a legal cause: for example, a legal obligation to keep the data, the exercise or defense of claims, or when it would affect third parties' rights. The refusal must be reasoned, communicated to the data subject and recorded.