EU data protection rules guarantee the protection of your personal data whenever they are collected – for example, when you buy something online, apply for a job, or request a bank loan. These rules apply to both companies and organizations (public and private) in the EU and those based outside the EU who offer goods or services in the EU, such as Facebook or Amazon, whenever these companies request or re-use the personal data of individuals in the EU.
It doesn’t matter what format the data takes – online on a computer system or on paper in a structured file – whenever information directly or indirectly identifying you as an individual is stored or processed, your data protection rights have to be respected.
When is data processing allowed?
EU data protection rules, also known as the EU General Data Protection Regulation (or GDPR), describe different situations where a company or an organization is allowed to collect or reuse your personal information:
- they have a contract with you – for example, a contract to supply goods or services (i.e. when you buy something online), or an employee contract
- they are complying with a legal obligation – for example, when processing your data is a legal requirement, for example when your employer gives information on your monthly salary to the social security authority, so that you have social security cover
- when data processing is in your vital interests – for example when this might protect your life
- to complete a public task – mostly relating to the tasks of public administrations such as schools, hospitals, and municipalities
- when there are legitimate interests – for example, if your bank uses your personal data to check whether you’d be eligible for a savings account with a higher interest rate
In all other situations, the company or organization must ask for your agreement (known as “consent”) before they can collect or reuse your personal data.
Agreeing to data processing – consent
When a company or organization asks for your consent, you have to make a clear action agreeing to this, for example by signing a consent form or selecting yes from a clear yes/no option on a webpage.
It is not enough to simply opt out, for example by checking a box saying you don’t want to receive marketing emails. You have to opt-in and agree to your personal data being stored and/or re-used for this purpose.
You should also be given the following information before you decide to opt-in:
- information about the company/ organization that will process your data, including their contact details, and the contact details of the Data Protection Officer (DPO) if there is one
- the reason why the company /organization will use your personal data
- how long they intend to keep your personal data
- details of any other company or organization that will receive your personal data
- information on your data protection rights (access, correction, deletion, complaint, withdrawal of consent)
All this information should be presented in a clear and understandable way.
Withdrawing consent to use personal data and the right to object
If you previously gave your consent for a company or organization to use your personal data, you can contact the data controller (the person or body handling your personal data) and withdraw your permission at any time. Once you’ve withdrawn your permission, the company or organization can no longer use your personal data.
When an organization is processing your personal data on the basis of their own legitimate interest or as part of a task in the public interest or for an official authority, you may have the right to object. In some specific cases, the public interest may prevail and the company or organization may be allowed to continue using your personal data. For example, this could be the case for scientific research and statistics, a task performed as part of the official role of a public authority.
For direct marketing emails that promote particular brands or products, your prior consent is required. However, if you are an existing customer of a particular company, they can send you direct marketing emails about their own similar products or services. You have the right to object at any time to receive such direct marketing and the company has to stop using your data immediately.
In all cases, you should always be given information about the right to object to the use of your personal data the first time that the company or organization contacts you.
Specific rules for children
If your children want to use online services, such as social media, downloading music or games, they will often need approval from you, as their parent or legal guardian, as these services use the child’s personal data. Your child will no longer need parental consent once they’re aged over 16 (in some EU countries this age limit might be as low as 13). Controls to check parental consent have to be effective, for example by using a verification message sent to a parent’s email address.
Access to your personal data
You can request access to the personal data a company or organization has about you, and you have the right to get a copy of your data, free of charge, in an accessible format. They should reply to you within 1 month and have to give you a copy of your personal data and any relevant information about how the data has been used or is being used.
Correcting your personal data
If a company or organization has stored personal data about you that isn’t correct or is missing some information, then you can ask them to correct or update your data.
Transferring your personal data (right to data portability)
In certain situations, you can ask a company or organization to return your data to you or to transfer it directly to another company, if this is technically possible. This is known as “data portability”. For example, you can use this right if you decide to switch from one service to another similar service – for example moving from one social media site to a new one – and you’d like your personal information to be quickly and easily transferred to the new service.
Deleting your personal data (the right to be forgotten)
If your personal data is no longer needed or is being used unlawfully then you can ask for your data to be erased. This is known as “the right to be forgotten”.
These rules also apply to search engines, such as Google, as they’re also considered to be data controllers. You can ask for links to web pages including your name to be removed from search engine results if the information is inaccurate, inadequate, irrelevant or excessive.
If a company has made your personal data available online and you ask for them to be deleted, the company also has to inform any other websites where they’ve been shared that you’ve asked for your data and links to them to be deleted.
To protect other rights, such as freedom of expression, some data may not be automatically deleted. For example, controversial statements made by people in the public eye, might not be deleted if public interest is best served by keeping them online.
Unauthorized access to your data (data breach)
If your personal information is stolen, lost or illegally accessed – known as a ‘personal data breach’ – the data controller (the person or body handling your personal data) must report it to the national data protection authority. The data controller must also inform you directly if there are serious risks related to your personal data or privacy due to the breach.
Making a complaint
If you think your data protection rights have not been respected, you can make a complaint directly to your national data protection authority which will investigate your complaint and give you a response within 3 months.
You can also choose to file a case directly in court against the company or organization concerned instead of first going to your national data protection authority.
You may be entitled to compensation if you suffer material damage, such as financial loss, or non-material damage, such as psychological distress, due to a company or organization not respecting EU data protection rules.
What about cookies?
Cookies are small text files that a website asks your browser to store on your computer or mobile device. Cookies are widely used to make websites work more efficiently by saving your preferences. They are also used to follow your internet use as you browse, make user profiles and then display targeted online advertising based on your preferences.
Websites should explain how the cookie information will be used. You should also be able to withdraw your consent. If you choose to do so, the website still has to provide some sort of minimum service for you, for example, providing access to a part of the website.
Not all cookies require your consent. Cookies used for the sole purpose of carrying out the transmission of a communication do not require consent. This includes, for example, cookies used for “load balancing” (enabling web server requests to be distributed over a pool of machines instead of just one). Cookies that are strictly necessary to provide an online service that you explicitly requested also do not need consent. This includes, for example, cookies used when you fill in an online form or when you use a shopping basket when shopping online.