The General Data Protection Regulation (GDPR) was introduced by the European Union in 2016 and enforced in 2018 to strengthen individuals' data privacy rights and regulate how organizations handle personal data.
GDPR was born in response to increasing concerns about data privacy, especially after major data breaches like the Cambridge Analytica scandal, which revealed how personal data was misused for political purposes. This event, along with growing digital surveillance concerns, pushed the EU to replace the outdated 1995 Data Protection Directive with stricter, more comprehensive regulations.
GDPR provides strong data protection for users. For example, in case a customer wants his data not to be processed for direct marketing, he can exercise his Right to Object, preventing companies from using his personal information for advertising.
With GDPR rights, you can be sure that your personal data remains encrypted or pseudonymized, for its safety.
If this sounds overwhelming, don’t worry! We’ve dedicated a full blog to explain how you can implement these rights in your organization and take the necessary steps to safeguard your data.
What is the GDPR?
It’s best to start with the basics. GDPR, or General Data Protection Regulation, is the set of rules for handling the personal data of EU/EEA residents. You can think of GDPR as the rulebook for managing personal data, much like how traffic laws ensure safety on the roads. Introduced on May 25th, 2018, GDPR sets the standards for how businesses collect, store, and use personal information, ensuring individuals retain control over their own data. This modern approach to data protection allows users to browse the internet securely.
The primary goal of GDPR data privacy rights is to safeguard personal data, regardless of the technology used for processing it. Whether the data is stored in IT systems, on paper, or through video surveillance, GDPR is focused on protecting it. At its core, GDPR functions as a contract between individuals and organizations—if a company wants to use someone’s data, they must have a valid reason (lawfulness), be transparent about how the data is used (transparency), and only collect what is absolutely necessary (data minimization).
The 8 Fundamental GDPR Rights
Now it’s time to dive into your rights. So, what are the 8 rights under GDPR?
1. Right to Access
This right allows individuals to request a copy of their personal data from organizations, giving them the opportunity to review what information is being stored and how it's being used. Businesses covered under personal data protection laws must comply with these requests within 30 days, providing clear and well-structured data. This right also applies to digital platforms and brands, allowing you to see what data they gather from you, including information from social media or private messages.
2. Right to Rectification
If you believe your personal data is inaccurate or outdated, you have the right to have it corrected. By exercising your GDPR rights to request rectification, organizations must make the necessary adjustments to ensure that all records are accurate. It's a good idea to review your data periodically to prevent any potential legal issues for businesses.
3. Right to Erasure (Right to Be Forgotten)
The vastness of the internet can be overwhelming at times. However, with the right to be forgotten, you can request the deletion of your personal data, especially when it is no longer necessary for its original purpose. It's like asking for your old profile information to be completely wiped from the internet, allowing you to erase your digital footprint.
4. Right to Restrict Processing
Here’s some news you might not want to hear: it’s important to read the terms and conditions before just clicking “I agree.” But the good news is that if there’s a dispute regarding the accuracy or legality of how a company processes your data, you can request a temporary restriction. This means the company must halt the processing of your personal data until the issue is resolved.
5. Right to Data Portability
In today’s world, if this right didn’t exist, imagine the frustration of entering your information manually every time. With the GDPR access rights, you can transfer your data between service providers with ease. It’s similar to transferring your savings from one bank to another—you should be able to take your data with you without any unnecessary obstacles.
6. Right to Object
Under your GDPR data privacy rights, you can opt out of certain data processing activities at any time. Even if you've previously agreed to terms, you can choose to opt out of marketing or automated decision-making processes, ensuring that you stay in control of how others use your data.
7. Rights Related to Automated Decision-Making
When making a significant purchase or resolving an issue, most people prefer to speak with a human representative rather than a chatbot. If you feel the same way about your decision-making processes, you can request human intervention, particularly in situations like loan approvals or job applications, to ensure fairness.
8. Right to Withdraw Consent
Always remember, you have the right to withdraw your consent at any time. If you’ve previously agreed to share your data with a business, you can revoke that consent, preventing them from using your data for specific purposes. Organizations must respect this decision and cease processing accordingly.
How to Exercise Your GDPR Rights
Now that you understand the rights you have to take control of your personal data, it’s time to exercise them. If you believe any part of your agreement feels like a misuse or if the other party is failing to comply with GDPR, you can follow this guide to exercise your GDPR rights.
Step 1: Submit a Data Subject Access Request (DSAR)
As mentioned earlier, you have the right to request access, correction, or deletion of your personal data. Through a Data Subject Access Request (DSAR), you can formally ask for this information. The best part is that you can submit this request via email, and it will be considered a formal document of your request.
If you wonder how do I exercise my GDPR rights, here is an example of an email:
Subject: Request for Access to Personal Data Under GDPR
Dear [Data Protection Officer/Company Name],
I am writing to formally request access to the personal data that [Company Name] holds about me, as per my rights under the General Data Protection Regulation (GDPR). Please provide the following:
- A copy of all personal data you have related to me.
- Details of how this data is being processed and shared.
- Any third parties with whom my data has been shared.
- Information on how long my data is stored.
If any of my information is incorrect or incomplete, I kindly ask that you rectify it. Additionally, if my data is no longer necessary for its original purpose, I request its deletion as per Article 17 (Right to Erasure).
Please respond within the required 30-day period.
Best Regards,
[Your Name]
[Your Contact Information]
Step 2: Escalate to a Supervisory Authority
So far, everything is going according to plan, but there may be some third parties who are reluctant to share or delete your information. Don’t worry about your personal data. You have the option to take legal action and sue for GDPR violations.
As we’ve mentioned before, GDPR rights are a set of protocols used across the European Union. So, if an organization or company fails to appropriately respond to your request, you can escalate the issue to a Supervisory Authority (SA).
It’s important to remember that each country has its own Data Protection Authority (DPA) that enforces GDPR compliance. Make sure you're contacting the right one for your case. Here are some key Data Protection Authorities (DPAs) in the EU:
- Ireland – Data Protection Commission (DPC): dataprotection.ie
- Germany – Federal Commissioner for Data Protection (BfDI): bfdi.bund.de
- France – CNIL (Commission Nationale de l'Informatique et des Libertés): cnil.fr
- Italy – Garante per la protezione dei dati personali: garanteprivacy.it
- Spain – Agencia Española de Protección de Datos (AEPD): aepd.es
Step 3: Legal Recourse for Non-Compliance
GDPR access rights should be taken seriously by any organization. When individuals understand how to file a GDPR complaint, companies can face fines of up to €20 million or 4% of their global annual turnover for non-compliance. We’ve compiled a list of some of the most well-known companies that have been penalized for failing to comply with data protection laws.
Notable GDPR Fines
Meta (2023)
Meta, one of the largest social media networks, was fined €1.2 billion in 2023 for illegally transferring EU user data to the U.S. without proper protections. Regulators found that Meta failed to prevent unauthorized access by U.S. authorities, violating GDPR’s data security rules, for which they were held accountable. Additionally, they were fined €390 million for forcing Facebook and Instagram users to accept its data processing terms or leave the platform. The Irish DPC ruled that this approach did not offer genuine consent and lacked transparency, emphasizing the importance of these principles.
Amazon (2021)
Amazon’s case of violating GDPR’s data processing principles began with a 2018 complaint from the French privacy group La Quadrature du Net, supported by over 10,000 consumers. If you've ever noticed ads on Amazon tailored to your interests, you may be familiar with the company's data practices. Allegedly, Amazon manipulated users by deciding what ads and information they saw without their consent. As a result, they were fined €746 million for violating GDPR’s data processing principles.
TikTok (2023)
Given the internet’s risks, especially for younger users, TikTok, one of the most popular video content apps, did not adequately protect minors’ privacy. In 2023, the Irish DPC fined the platform €345 million for failing to protect minors’ privacy. The app had set default public profiles for users aged 13-17, exposing their content. It also failed to verify whether adults in the Family Pairing feature were actual parents or guardians. As a result, minors were exposed to content that neither they nor their parents would have been comfortable with, increasing the risks to child safety online.
H&M (2020)
GDPR data privacy rights not only apply to users but also to employees of businesses. In 2020, the Hamburg Data Protection Authority fined H&M €35.3 million for secretly monitoring employees at its Nuremberg service center. Employees returning from sick leave or vacation were required to attend “return-to-work” meetings, where sensitive personal details, such as family situations, health conditions, and even religious beliefs, were recorded. Over 50 managers had access to this data, which was used to assess employees' performance.
Common GDPR Misconceptions
There’s no need for conspiracy theories when it comes to internet data protection. Understanding your rights is crucial, and it's important to recognize the framework that GDPR provides for you. By addressing these misconceptions, we hope to alleviate any unnecessary fears or confusion about data protection laws and compliance.
Myth: GDPR Only Applies to EU-Based Companies
Although we’ve listed European country representatives as DPAs, this doesn’t mean the company must be based in Europe. GDPR applies to any company that processes the personal data of EU residents, regardless of where the company is located. As long as you are an EU citizen, you can exercise your rights under GDPR with any company. Even businesses outside the EU must comply if they offer goods or services to EU customers or monitor their behavior.
Myth: Individuals Need a Lawyer to File a Complaint
One reason some may hesitate to file a GDPR complaint is the fear of lawyer fees. However, remember that it’s your right to file a complaint—just as you can request your right to be forgotten under GDPR. Anyone can file a GDPR complaint without the need for legal representation. Individuals can directly contact their country’s Data Protection Authority (DPA) to report violations.
Myth: All Data Requests Must Be Fulfilled Immediately
As previously mentioned, organizations have up to 30 days to respond to data access requests. In more complex cases, they can extend this deadline by another two months. However, they are required to inform the individual about any delays and provide a valid reason for the extension.
Business Obligations Under GDPR
Requirements for Data Controllers & Processors
- Appointing a Data Protection Officer (DPO): If a company processes large volumes of data, like social media platforms, it will likely be handling sensitive data. In such cases, it’s essential to appoint a Data Protection Officer (DPO) to oversee data protection practices and ensure compliance with GDPR.
- Conducting Data Protection Impact Assessments (DPIAs): When an organization is managing risks related to data processing activities that may impact individuals' privacy rights, they must conduct Data Protection Impact Assessments (DPIAs). Under UK GDPR, failing to carry out a DPIA when required can result in enforcement actions, including fines of up to £8.7 million, or 2% of global annual turnover, whichever is higher.
GDPR Compliance Checklists for Business
It’s always better to be safe than sorry. Therefore, maintaining a checklist of GDPR requirements to streamline compliance is essential for businesses. This checklist can include areas such as data processing agreements, consent management, and data security measures.
FAQs About GDPR Rights
Can non-EU citizens use GDPR?
Yes, non-EU citizens can benefit from GDPR if their data is processed by companies targeting or monitoring individuals within the EU.
How long can companies store my data?
Companies can only store data as long as it serves a legitimate purpose. Once that purpose is fulfilled, there is no need to retain the data, meaning it should be deleted or anonymized.
What if a company refuses my erasure request?
Your right to erasure takes priority. If a company refuses to delete your data, you can appeal to the relevant Data Protection Authority (DPA) in your country. They will investigate and enforce compliance if necessary.
What to do in case a customer wants his data not to be processed for direct marketing?
One of your rights is to object to the processing of your data for direct marketing purposes. You can request the company to stop using your data for this purpose, and if they don't comply, you can take action with the Data Protection Authority.