When a company won't stop calling: what companies and data subjects need to know

A few days ago I saw a query that sums up an increasingly common reality: a person wanted to know what she could do about a company that continued to call her constantly, even after she had asked them to stop contacting her and remove her data from their database.

In the Dominican Republic, there has not traditionally been a strong culture of formally claiming or exercising rights related to personal data protection. For years, many people simply chose to ignore calls, block numbers or resign themselves to receiving unsolicited offers. Law 172-13, in force since 2013, establishes rights and obligations regarding personal data, but for years it has hardly been invoked in practice. That reality is changing, driven both by increased citizen awareness and by some recent legal reforms that substantially raise the consequences of non-compliance.

More and more people want to know what options they have, what their rights are and how they can exercise them. This is particularly evident in sectors such as banking and financial services, where frequent commercial calls are part of many consumers' daily lives. And it is not just a local trend, as international privacy standards demanded by business partners, corporate customers and foreign counterparties are putting pressure on companies to raise their practices beyond what is required by domestic regulation alone.

For data subjects, the law recognises concrete and enforceable rights: access to their data, rectification of inaccurate information, erasure or deletion when the processing no longer has a lawful basis, and - especially relevant in the context of direct marketing - the right to object. An individual can object to the use of his or her data for marketing purposes and request that a company stops contacting him or her. When such a request is made, the organisation has an obligation to deal with it effectively and within the time limits set by law. It is not enough to promise that "the request will be processed"; the change must be reflected in all systems, channels and suppliers involved, and the company must be able to demonstrate that it has done so. In practice, this should ideally be done in writing, via an email to the customer service, compliance or data protection area of the organisation, expressly requesting the cessation of processing for marketing purposes and an opt-out from future campaigns. If the calls persist, the request can also be reiterated by formal intimation, including through a bailiff act. As an extreme measure, there are legal actions that can be brought under Law 172-13.

For companies, this phenomenon should be seen as an important signal. What few people questioned before is now beginning to generate greater scrutiny. And what today are informal enquiries may tomorrow become formal complaints, regulatory investigations or litigation.

In most cases, these problems do not arise out of bad faith. They arise from poor internal processes. One area updates information, but another continues to use an old version of the database. An external provider continues to run campaigns. The call centre does not receive the update in time. And a simple request ends up becoming an unnecessary source of risk. On top of this, many organisations do not have processing contracts in place with their data providers, which means that these third parties operate with personal information without a proper contractual basis.

The adoption of Law 74-25, the new Criminal Code of the Dominican Republic, marks a turning point. Its Articles 198 and 199 criminalise the collection, storage, commercialisation or disclosure of personal data without the consent of the data subject: natural persons can face penalties of one to two years in prison, while legal persons are exposed to fines of up to RD$15,000,000. Non-compliance can no longer be analysed exclusively from an administrative perspective: the exposure now encompasses the civil and, depending on the conduct, the criminal sphere.

Therefore, companies handling large volumes of personal data, especially in highly regulated sectors such as banking, insurance, healthcare and telecommunications, must review their processes before a regulator or a disgruntled customer does.

Reducing such exposure requires a structured approach. Companies should map what personal data they collect, on what legal basis they process it, and for how long they keep it; establish internal procedures for dealing with data subjects' requests within legal deadlines; formalise their relationships with suppliers through data processor contracts; and document their compliance in a way that can be demonstrated to a regulator or a court. This is not about cosmetic documentation: it is about the organisation actually being able to do what it says it does.

Undoubtedly, data protection in the Dominican Republic is entering a new phase. Data subjects are more informed, more aware and less and less willing to tolerate invasive practices.