4 Steps to Protecting Your Privacy Rights Under the GDPR

1.      Getting to know the GDPR

The GDPR, shorthand for the General Data Protection Regulation, is a new piece of EU law that will come into force in May 2018 in all EU member states. Being a regulation, ratification by the respective EU parliaments is unnecessary.

The GDPR will replace the currently active piece of legislation called the Data Protection Directive. It has been in place since 1995, when technological advancement (the Internet) was not the focus of the lawmakers and many online services we take for granted today didn’t even exist, and also a time when the European Union was much smaller.

The current directive makes it much more difficult for companies to operate in more than one EU country. This is due to every country having their own set of privacy and data protection laws. A company from, say, Austria, would have to acquaint itself and ensure compliance with both Hungarian and Spanish laws if it wished to set up shop there.

This does not only place a high financial burden on a (usually new and thriving) company, but it also runs against the core principles of the European Union – the free movement of goods and capital in a single internal market consisting of 28 Member States.

With the GDPR in place, companies (data controllers / processors, this also includes organisations) will have only one piece of regulation to reckon with – the GDPR. Once they ensure that they are compliant with its provisions, they can be certain that what they’re doing is lawful in every EU country. This hugely simplifies business and reduces costs. The playing field is also levelled, as huge companies have had more success navigating the murky waters of privacy regulations. With GDPR, that stops now.

You, as a customer or a user (data subject in the GDPR), can also be safe knowing that there are no legal loopholes a company can use against you. If you’re an EU resident, and a company is providing services to you, it is certain to be bound by the GDPR. You don’t have to look for information on where the company is headquartered and analysing its privacy regulations.

Additionally, when lodging a complaint, you are free to complain to your local authorities, no matter where the company is from. They will handle it themselves afterwards. What’s not to like?

The GDPR should help foster growth and competitiveness.

2.      Determine if your rights are respected

The GDPR gives ordinary people plenty of rights – and it pays to acquaint yourself with them. Let’s see what obligations the companies have when it comes to handling your personal information.

• The right to information

Whenever you give your personal information to a company, you have the right to know what it will be used for, why, how long it will be stored, and how you can contact the company. You should get that information right away or within a month at most if the company got your personal data from another company (which it also cannot do unless you were informed of that).

Of course, your consent is required for gathering of data. Pre-ticked checkboxes won’t do it anymore. If a company suffers a data breach that could significantly affect you, they are obligated to contact you within 72 hours.

• The right of access

If you want to know what pieces of your personal information the company (data controller, more formally speaking) has on file, you can. Let them know and within a month you will get a copy of all data – as well as the purposes of the processing of your data and the existence of any potential third-party recipients.

• The right to rectification

If, upon obtaining a copy of your data, you find that some pieces of information are wrong or unclear, you can correct your information and the company must update their files as soon as possible.

• The right to erasure

Companies shouldn’t store your data for longer than strictly necessary, and you can order them to delete it. Even if your data is being processed, you can order them to prevent processing and delete all your information. This is the so-called right to be forgotten. Deletion is also easy if your information was being unlawfully processed.

However, sometimes you don’t have the right to delete your data, such as when it’s in the public health or scientific interest for data to remain, or if there is legal action for which the data is important. The former is open to interpretation, and you can contest these decisions – but more on that later.

• The right to restrict and object to processing

You might also want the company to retain your data, but refrain from processing it. This may happen when you’re contesting the accuracy of your personal information or when the company doesn’t need your data anymore, but you do in order to establish a legal claim of any kind. Data processing is also restricted when you object…

…And you can object if the company deems that your data should be kept and refuses to delete it because of interests to the society, but you beg to differ. While your objection is being evaluated, your data must not be processed. The exception is direct marketing. They must delete all your data as soon as you request them to do so – no questions asked.

• Data portability

If you decide to change service providers (of any online service, for example – your e-mail provider), they must ensure easy portability of data. This means that you can demand them to move your personal data from their servers to another service of your choice.

Say you have an e-mail account at one service, and you wish to switch. The only thing keeping you there are your contacts – and the company knows that, so they might make it as difficult as possible to transfer your data. Not anymore – under the GDPR, they will be obligated to do that. Obviously, this will foster competitiveness and a better service for users.

• Manual decision-making

Sometimes, those who run certain services will use automatic data processing to profile you without human intervention. This can have profound consequences, for example when evaluating your health prospects, job history, loan applications or what ads to serve you. You can object to this and ask that your information be reviewed manually, by a real person.

Now that you’ve acquainted yourself with your rights, it’s time to learn how to react if they’re being broken!

3.      Who to contact

If you suspect that the data controller (the company or an organization) doesn’t play fair when it comes to your personal data, or if you suspect something’s fishy, you have the right to complain.

Generally, it is probably best to contact the company in question directly. Most businesses and organizations care about their reputation and go to great lengths to ensure that they don’t get any bad press. So, contacting them, especially if you feel you have a valid complaint on your hands, should be the first thing you do, at it can have a high success rate.

Companies who often process personal data must have a data protection officer, who is in charge of managing the protocols for compliance with the GDPR. Education of other employees for handling customer complains is also one of their tasks. A simple e-mail to the customer service or their privacy department can therefore work wonders.

You can complain either via e-mail or the old-school way. Both are equally valid!

If they fail to respond to your claim (a month in most cases), or you are disgruntled with their (lack of) action, then you can complain to the supervisory authorities. Note that you can do that straight away – we just believe it’s best to straighten things out with them directly. When lodging a complaint against a company, you don’t need to know where it’s headquartered. You should lodge a complaint to the authority in your country. For example, if you’re from Finland and a French company has violated your rights, you complain to the Finnish supervisory authority. They are responsible for forwarding your complaint and coordination with the French authorities.

You also have an option to take legal action against the company. Again, you can do it straight away, but in most cases people opt for this option after they’ve exhausted all other legal remedies. You can sue the company in your country of residence or in the country where the company is headquartered.

4.      Seek damages

If you can prove that you have suffered damages as a result of the companies violating the GDPR by handling your data in a, for example, negligent or malicious manner, you can sue them to seek compensation for said damages.

Under the GDPR, the companies who did the data processing are fully liable for all damages, unless they can prove such GDPR violations weren’t a result of their wrongdoing. We expect most legal cases to revolve around data breaches and a refusal to delete one’s data for marketing reasons.

Legal action can be brought in the country of your residence or in the country in which the company is based. Class-action lawsuits can also be brought by, for example, trade unions representing all their members.

Those companies who misbehave with their clients’ data open themselves not only to potential lawsuits from disgruntled customers, but also steep fines from the regulatory authorities, of up to 4 percent of their global turnover or up to EUR 20 million, whichever is higher. It is therefore in their best interest to keep all personal data safe and protected.

As you’ve seen, the GDPR gives you plenty of rights and good mechanisms for ensuring they are respected. It takes only a little time to acquaint yourself with your rights, and it could save you a lot of headache later on. Companies cannot bully you anymore and you’ll find out that your rights will be respected without question; perhaps due to the company’s care for its customers, but also in part due to huge fines they face if caught red-handed. The GDPR lets those whose who own the personal information to also control it – and that person is you.