Skip to content

Know Your Rights: Understanding the GDPR from a Consumer Perspective


The General Data Protection Regulation (GDPR) is law created by the European Union (EU) that says organizations need to follow certain privacy and security standards when they collect online information related to people in the EU. Organizations that handle user data – including EU and non-EU organizations – must comply with GDPR restrictions or face a steep fine. Large tech companies such as Google and Facebook have already been slammed with fines by GDPR regulators.

The GDPR doesn’t only rely on fining organizations to protect consumer privacy and security. The regulation also empowers consumers to look after their own data security by allowing them to ask companies for their data at any time, or even request that data about them be removed.

How do your consumer rights work under the GDPR, and how do you know if the GDPR applies to you?

The eight rights of the GDPR

Under the GDPR, consumers have eight fundamental rights concerning their data.

1. The right to information

According to Article 13 of the GDPR, an organization must tell you what data is being collected about you. They also have to tell you:

  • How the data is collected
  • How the data is used
  • How long the data will be kept
  • Whether the data is shared with third parties

Organizations must tell you this information at the moment they collect your information, not afterward.

2. The right to access

Article 15 of the GDPR gives you, the data subject, the right to access your personal data that a company has processed. When you submit a subject access request (SAR), the organization usually has one month to produce it and must do so free of charge. If you make multiple or excessive requests, however, the organization may take longer to provide the information or charge a reasonable fee.

3. The right to rectification

If after accessing your data from an organization, you see that it’s incorrect, you can request a correction or update. Article 16 of the GDPR states that not keeping accurate information on data subjects threatens the privacy of more than one individual. If a company holds onto your information and uses it to contact you without your consent, it is a GDPR violation.

4. The right to erasure

Article 17 covers the right to erasure, or the right to be forgotten. This right allows you to ask an organization to erase your data if it was unlawfully processed, you withdraw your consent on how it was processed, or you deem it no longer necessary for the organization to have it. The organization can refuse to accommodate your request to erase your data if the processing involves:

  • Right to freedom of expression and information
  • Compliance with a legal obligation or the public interest
  • Reasons of public interest related to public health

5. The right to restrict processing

Under Article 18 of the GDPR, you can ask organizations to limit the way they use your personal data. This right is an alternative to the right to erasure when you want to contest the accuracy of the data.

6. The right to data portability

According to Article 20, you may receive the data an organization has on you in a commonly used format and either send it to another data controller or use it for personal purposes.

7. The right to object

You can object to the collection and processing of your personal data under Article 21 of the GDPR. The organization can only override your objection if they have a legitimate interest to collect your data.

8. The right to avoid automated decision-making

Under Article 21, you have the right to avoid decisions made with no human involvement, such as automated profiling. You can challenge an organization or request a review if you believe it hasn’t followed this rule.

How does the GDPR define personal data?

It’s important to note that the GDPR only applies to personal data. Article 4 (1) of the GDPR defines “personal data” as any information related to an identified or identifiable natural person. This includes data that can be assigned to a person, and may include:

  • Name
  • Some kind of identification number
  • Location data
  • Online identifier (like a username)
  • Telephone number
  • Credit card number
  • Personnel number
  • Account data
  • Number plate
  • Appearance
  • Customer number
  • IP addresses
  • Clock in and out times for employees
  • Opinions or judgements about a person

Anything that expresses a physical, physiological, genetic, mental, commercial, cultural, or social identity of a natural person can fall under personal data.

How to request your personal data

You can request access to your personal data at any time, with a SAR. There’s no specific form to fill out or formal process to undergo. You may try to search the organization’s website to see if they have a data protection officer who handles such requests. If they don’t, you can submit a SAR to the organization as a whole, verbally or in writing, including over social media.

You can also ask someone else to request your data for you. The organization has about one month to reply and should not charge you for the SAR.

Does the GDPR apply to you?

The GDPR applies to all organizations operating within the EU, as well as any organizations outside the EU that offer goods and services to customers or entities in the EU. As an EU citizen or resident, you can exercise the eight rights listed above concerning EU organizations or non-EU organizations that target EU audiences. If you’re not an EU citizen or resident, then you may not be able to exercise the eight GDPR rights concerning your personal data.

Your rights under the GDPR

The GDPR is a landmark piece of legislation in data protection and privacy. As a consumer, you should know how to take full advantage of the rights it affords you.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety

How DNSBLs Work: Avoid Getting Blacklisted

When you open your email client, type a message, and hit “send” it seems so easy. You…

[Read More]
Stuart Madnick has been in cybersecurity since 1974 and knows a lot about the costs of cyberattacks.

The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage

Most of us view the internet as a useful and benign tool. But in many ways, it’s…

[Read More]

How to Keep Your YouTube from getting Demonetized

You finally did it–you hit all of the markers for acceptance in the YouTube Partner program, and…

[Read More]

How to Stay Out of Facebook Jail

Many of us have been there before–behind the proverbial bars of social media punishment. We’re left shocked…

[Read More]
Lisa Plaggemier's job is to promote cyber security awareness.

Cyber Security Awareness for Everyone

You can do anything on the internet – shop, bank, meet your future spouse, become famous, and…

[Read More]

Cyberbullying Prevention: What Parents Can Do

It’s very easy for anyone to create a fake online profile and say or do mean things…

[Read More]