Know Your Rights: Understanding the GDPR from a Consumer Perspective
The General Data Protection Regulation (GDPR) is law created by the European Union (EU) that says organizations need to follow certain privacy and security standards when they collect online information related to people in the EU. Organizations that handle user data – including EU and non-EU organizations – must comply with GDPR restrictions or face a steep fine. Large tech companies such as Google and Facebook have already been slammed with fines by GDPR regulators.
The GDPR doesn’t only rely on fining organizations to protect consumer privacy and security. The regulation also empowers consumers to look after their own data security by allowing them to ask companies for their data at any time, or even request that data about them be removed.
How do your consumer rights work under the GDPR, and how do you know if the GDPR applies to you?
The eight rights of the GDPR
Under the GDPR, consumers have eight fundamental rights concerning their data.
1. The right to information
According to Article 13 of the GDPR, an organization must tell you what data is being collected about you. They also have to tell you:
- How the data is collected
- How the data is used
- How long the data will be kept
- Whether the data is shared with third parties
Organizations must tell you this information at the moment they collect your information, not afterward.
2. The right to access
Article 15 of the GDPR gives you, the data subject, the right to access your personal data that a company has processed. When you submit a subject access request (SAR), the organization usually has one month to produce it and must do so free of charge. If you make multiple or excessive requests, however, the organization may take longer to provide the information or charge a reasonable fee.
3. The right to rectification
If after accessing your data from an organization, you see that it’s incorrect, you can request a correction or update. Article 16 of the GDPR states that not keeping accurate information on data subjects threatens the privacy of more than one individual. If a company holds onto your information and uses it to contact you without your consent, it is a GDPR violation.
4. The right to erasure
Article 17 covers the right to erasure, or the right to be forgotten. This right allows you to ask an organization to erase your data if it was unlawfully processed, you withdraw your consent on how it was processed, or you deem it no longer necessary for the organization to have it. The organization can refuse to accommodate your request to erase your data if the processing involves:
- Right to freedom of expression and information
- Compliance with a legal obligation or the public interest
- Reasons of public interest related to public health
5. The right to restrict processing
Under Article 18 of the GDPR, you can ask organizations to limit the way they use your personal data. This right is an alternative to the right to erasure when you want to contest the accuracy of the data.
6. The right to data portability
According to Article 20, you may receive the data an organization has on you in a commonly used format and either send it to another data controller or use it for personal purposes.
7. The right to object
You can object to the collection and processing of your personal data under Article 21 of the GDPR. The organization can only override your objection if they have a legitimate interest to collect your data.
8. The right to avoid automated decision-making
Under Article 21, you have the right to avoid decisions made with no human involvement, such as automated profiling. You can challenge an organization or request a review if you believe it hasn’t followed this rule.
How does the GDPR define personal data?
It’s important to note that the GDPR only applies to personal data. Article 4 (1) of the GDPR defines “personal data” as any information related to an identified or identifiable natural person. This includes data that can be assigned to a person, and may include:
- Some kind of identification number
- Location data
- Online identifier (like a username)
- Telephone number
- Credit card number
- Personnel number
- Account data
- Number plate
- Customer number
- IP addresses
- Clock in and out times for employees
- Opinions or judgements about a person
Anything that expresses a physical, physiological, genetic, mental, commercial, cultural, or social identity of a natural person can fall under personal data.
How to request your personal data
You can request access to your personal data at any time, with a SAR. There’s no specific form to fill out or formal process to undergo. You may try to search the organization’s website to see if they have a data protection officer who handles such requests. If they don’t, you can submit a SAR to the organization as a whole, verbally or in writing, including over social media.
You can also ask someone else to request your data for you. The organization has about one month to reply and should not charge you for the SAR.
Does the GDPR apply to you?
The GDPR applies to all organizations operating within the EU, as well as any organizations outside the EU that offer goods and services to customers or entities in the EU. As an EU citizen or resident, you can exercise the eight rights listed above concerning EU organizations or non-EU organizations that target EU audiences. If you’re not an EU citizen or resident, then you may not be able to exercise the eight GDPR rights concerning your personal data.
Your rights under the GDPR
The GDPR is a landmark piece of legislation in data protection and privacy. As a consumer, you should know how to take full advantage of the rights it affords you.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Online Privacy
- Online Safety
Thousands of usable computers are tossed into Iandfills or closets every week. There’s a way to donate...[Read More]
When news of the Pandora Papers broke in early October 2021, many people thought, “Oh, just another…[Read More]
The Covid Crisis has shown us the sudden validity of needing to prepare for the worst case…[Read More]