GDPR: Know Your Rights as a Consumer Under Data Privacy Laws

The General Data Protection Regulation (GDPR) is law created by the European Union (EU) that says organizations need to follow certain privacy and security standards when they collect online information related to people in the EU. Organizations that handle user data – including EU and non-EU organizations – must comply with GDPR restrictions or face a steep fine. Large tech companies such as Google and Facebook have already been slammed with fines by GDPR regulators. The GDPR doesn’t only rely on fining organizations to protect consumer privacy and security. The regulation also empowers consumers to look after their own data security by allowing them to ask companies for their data at any time, or even request that data about them be removed. How do your consumer rights work under the GDPR, and how do you know if the GDPR applies to you? Under the GDPR , consumers have eight fundamental rights concerning their data. 1. The right to information According to Article 13 of the GDPR, an organization must tell you what data is being collected about you. They also have to tell you: Organizations must tell you this information at the moment they collect your information, not afterward. 2. The right to access Article 15 of the GDPR gives you, the data subject, the right to access your personal data that a company has processed. When you submit a subject access request (SAR), the organization usually has one month to produce it and must do so free of charge. If you make multiple or excessive requests, however, the organization may take longer to provide the information or charge a reasonable fee. 3. The right to rectification If after accessing your data from an organization, you see that it’s incorrect, you can request a correction or update. Article 16 of the GDPR states that not keeping accurate information on data subjects threatens the privacy of more than one individual. If a company holds onto your information and uses it to contact you without your consent, it is a GDPR violation. 4. The right to erasure Article 17 covers the right to erasure, or the right to be forgotten. This right allows you to ask an organization to erase your data if it was unlawfully processed, you withdraw your consent on how it was processed, or you deem it no longer necessary for the organization to have it. The organization can refuse to accommodate your request to erase your data if the processing involves: 5. The right to restrict processing Under Article 18 of the GDPR, you can ask organizations to limit the way they use your personal data. This right is an alternative to the right to erasure when you want to contest the accuracy of the data. 6. The right to data portability According to Article 20, you may receive the data an organization has on you in a commonly used format and either send it to another data controller or use it for personal purposes. 7. The right to object You can object to the collection and processing of your personal data under Article 21 of the GDPR. The organization can only override your objection if they have a legitimate interest to collect your data. 8. The right to avoid automated decision-making Under Article 21, you have the right to avoid decisions made with no human involvement, such as automated profiling. You can challenge an organization or request a review if you believe it hasn’t followed this rule. It’s important to note that the GDPR only applies to personal data. Article 4 (1) of the GDPR defines “personal data” as any information related to an identified or identifiable natural person. This includes data that can be assigned to a person, and may include: Anything that expresses a physical, physiological, genetic, mental, commercial, cultural, or social identity of a natural person can fall under personal data. You can request access to your personal data at any time, with a SAR. There’s no specific form to fill out or formal process to undergo. You may try to search the organization’s website to see if they have a data protection officer who handles such requests. If they don’t, you can submit a SAR to the organization as a whole, verbally or in writing, including over social media. You can also ask someone else to request your data for you. The organization has about one month to reply and should not charge you for the SAR. The GDPR applies to all organizations operating within the EU, as well as any organizations outside the EU that offer goods and services to customers or entities in the EU. As an EU citizen or resident, you can exercise the eight rights listed above concerning EU organizations or non-EU organizations that target EU audiences. If you’re not an EU citizen or resident, then you may not be able to exercise the eight GDPR rights concerning your personal data. The GDPR is a landmark piece of legislation in data protection and privacy. As a consumer, you should know how to take full advantage of the rights it affords you.