A Digestible Guide to Individual’s Rights under GDPR
What are my rights under the GDPR?
1. You have the right to information.
- Companies and organisations are now required to communicate to you, in plain and accessible language, what personal data they process and how they use it. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)
- If a company or organisation builds a profile on you (e.g. from data matched up from different sources), you have the right to know what’s in this profile.
2. You have the right to secure handling.
The GDPR regulates that personal data should be stored and processed securely.
3. You have the right to access the personal data a company/organisation holds on you, at any time.
- If the data is inaccurate, you can change or complete it.
- If the data is no longer necessary, you can ask the company/organisation to delete it.
- If you initially gave the company/organisation more data than was necessary for receiving the service (e.g. for marketing purposes), but no longer want them to have this data, you can ask them to delete it.
4. You have the right to use a service without giving away additional data.
If a company/organisation wants to process personal data that is not strictly necessary for the provision of a particular service (e.g. a transport app that wants access to your phone’s contact list), they need to get your explicit consent to process that data. Note that even if a company believes that certain data is in their interest to process, this does not always mean that it is necessary. If you have already consented to the processing of additional data, you can always withdraw this consent.
5. With automated decisions, you have the right to explanation and human intervention.
- If a decision has been made about you through automatic mechanisms, you have the right to know how the decision was made (i.e. you are entitled to an explanation of the logic behind the mechanism used).
- When it comes to automated decision-making, you have a right to human intervention, and the right to contest any decision made.
6. How will these rights be enforced?
Each country will have an independent public Data Protection Authority (DPA) to ensure that companies are in compliance with the regulation. You have the right to lodge a complaint with your DPA or to go to court if you feel that your rights have been violated.
7. Do I need to do anything?
No. It’s up to companies and organisations to make sure that your personal data is protected. There are, however, still decisions you’ll need to make.
- For new services you want to use: If the company is asking you to give them data, do you really want to agree? (If the service only processes necessary data, they are required to inform you but do not need to ask for special consent to do so. They do, however, need to ask for explicit consent when they want data that’s not necessary).
- For the services you’re using at the moment: Are you still comfortable with the way the company/ organisation collects, analyses and shares your personal data? If you no longer agree, you can simply say “no”.
- Finally: if you think your rights are not being upheld, you can decide to report it to your DPA, or even challenge the company in court.
8. Does it mean I can “delete” myself?
Not quite. You can’t delete all your personal data whenever you want to. But you can ask to have your data deleted in a few specific situations – for example if a company/organisation no longer needs it it in order to provide the service you are using, or if you decide to withdraw your consent. However, even in such cases, companies may still have viable reasons to keep your data, for example for tax purposes or to protect themselves from possible future claims.
9. Can I talk to companies about their use of my data?
Absolutely! The GDPR requires that companies and organisations respond to questions about personal data. This includes whether or not they process your personal data in the first place, and if so for what purpose, how long it will be stored, and with whom it is shared. And if you ever change your mind about what you have consented to or accepted, companies and organisations are also required not only to make it easy for you to communicate this choice, but also to act upon it.
10. What can I do if a company is using my personal data against my will?
- It may be useful to contact the company itself first. Regardless of whether you do that, however, you can also file a complaint with your national Data Protection Authority – even if the company does not have an office in your country. And if you’re not satisfied with the DPA’s decision, you can take the company to court.
- You can also skip the DPA and go directly to court if you feel your rights have been violated.
- If as a result of a violation you have suffered material or non-material damage, you can seek financial compensation.
- Third parties, such as consumer protection agencies, digital rights foundations or other interest groups, could also litigate on behalf of you and others.
11. Why are some companies critical of the GDPR?
Many companies have become used to treating your data as a ‘free resource’ – something they could take without asking permission and exploit for their own financial gain; something they could collect without limit, without protecting it. The GDPR is a powerful tool to force companies to re-evaluate the risks involved – not just to the individuals whose data they process, but also to themselves, in terms of fines and loss of customer trust – and to treat your data with the common-sense care and respect that should really have been in place from the beginning.
12. Does the GDPR apply to the data my employer has on me?
Yes. Your employer, like any other organisation that processes data, has to conform to the GDPR. However each EU member state can adopt more specific rules when it comes to the employment relationship. If you’re interested in this, you should look for more information on your national Data Protection Authority’s website.
13. Does the GDPR apply to US companies?
Yes. As soon as a company monitors or tracks the behaviour of internet users on EU territory, the regulation will kick in – no matter where the company is based.
GDPRexplained: a social campaign launched today reminds the new regulation is there to protect our rights (25.05.2018)
Press Release: GDPR: A new philosophy of respect (25.05.2018)
The four year battle for the protection of your data (24.05.2018)