8 Rights You’ll Have Under the GDPR

The deck looks stacked against you: there’s no easy way to go off the grid and ditch the social networks, but accepting their incredibly long terms of service basically means you’re giving away your online sovereignty.

However, not all is so bleak. The EU lawmakers, of all people, recognised the need for a revamped set of privacy regulations, culminating in the development of the General Data Protection Regulation (GDPR) and the ongoing revisions of the ePrivacy Directive.

Your Rights Matter

The GDPR is not a magic wand that will instantly solve all privacy issues, but it does demand more accountability from companies and organisations. For you, that means more oversight over how your data is being used and why. You are given a set of options collectively termed ‘rights’ under the GDPR.

The exercise of these rights should help put you back in the drivers’ seat. What’s more, these rights aren’t just legalese, meaningless drivel – they are very applicable and useful. But in order to do so, you must know what your rights are, don’t you?

1.    The Right to be Forgotten

Also called ‘the right to erasure’, it is considered one of the most important and touted rights. It allows you to demand that a company delete any unnecessary personal data belonging to you. You can also deny consent to further processing and demand deletion right away, unless the company is legally required to keep your data (banks, for example).

Search companies will be most hard-hit by the rule since they will have to remove links to the offending content. Put simply, this rule can save you from having your mishaps, such as pictures from a bender, end up on the internet for posterity forever, in plain view for your future employers. That’s not right – even your traffic infractions disappear from your files after a set time period, so the same should apply to the Internet.

Of course, you won’t be able to remove and delete everything – there will be a need for a balancing act, where personal interests are weighted up against the interests of the public and freedom of information.

2.    The Right to Object

This right allows you to say ‘no’ to others using your personal data in ways you do not approve. The right already exists in current legislation, but it is further fleshed out in the GDPR.

This differs from the regular withdrawal of consent, since companies have more grounds to use your data even without your approval – the ‘legitimate interest’ provision – if they consider the processing to be extremely important for their operation.

However, you can contest that and object. Then they will have to demonstrate that this really is the case – even if the processing is otherwise lawful. Otherwise, they must stop processing.

You have the absolute right to object to direct marketing as well, whether postal or e-mail, and there is no way for the company to invoke their interests. They must cease processing at once.

You can object to processing your data in scientific, research, statistic and historical purposes as well, but then it is upon you to prove you’d be affected if the processing took place, and in the case the processing is carried out for public interest, you might not have a case at all.

The GDPR helps you regain control over your data – no matter where it may be.

3.    The Right to Access

At any time, you can ask a company whether your data is being processed, and if it is, you have the right to obtain a copy of it. It should also contain the information on why your data is being processed and stored.

The company must provide you with a copy of your data free of charge unless the queries are extremely detailed or repetitive. In that case, they can charge a fee, but not more than the actual administrative costs incurred.

You must verify your identity with the company before you receive your data, in order to prevent fraud and identity theft. The company has 30 days to comply with your request.

4.    The Right to Restrict Processing

In most cases, if you don’t want your data to be processed, you will simply withdraw your consent and demand it to be erased. Still, there are some situations where this right comes handy.

Processing is automatically restricted when you invoke the right to rectification (#7), when you exercise your right to object (#2), and when the processing in unlawful, for obvious reasons.

However, you might want to restrict processing without deletion if you want the company to still have your personal data in possession. This could occur if you want to exercise a legal claim.

5.    The Right to Information

Whenever you are asked to hand over your personal data, you must be provided with several pieces of information concerning the use of your data. This is mostly contained in the companies’ privacy policies, however they will have to be significantly revamped in terms of conciseness and readability in order to comply with the law. As it stands, very few of us read these long documents that are hard to understand anyway. Any improvement in this matter is welcome!

The company collecting your information (or obtaining it from a third party) must inform you of the following:

• contact point within the company
• purpose for processing and any legitimate interests
• details of any third-party recipients (including outside the EU)
• period for which the data will be stored
• safety measures
• your rights regarding data management
• your right to appeal to the authorities
• whether any profiling and automatic decision-making takes place (see #8)

6.    The Right to Data Portability

One of the issues that keeps us ‘hostage’ to large services even when we don’t like their privacy policies is the fact that we’re ‘locked-in’ to their ecosystem. Our apps, contacts and files are often hosted with them, and moving all that to another, possibly superior, service is an exercise in patience.

Not anymore. In a bit to strengthen competition and freedom of choice, the GDPR stipulates that you must be able to obtain a copy of your personal data in a common file format that facilitates transfer among similar services. That way, moving your calendar contacts or e-mails to a new account with another service provider should be much easier. In fact, the lawmakers claim moving your data to another service will be a hassle-free experience that will foster competitiveness among service providers.

Your request must be fulfilled within a month. Extra two months can be allotted for particularly complex requests.

7.    The Right to Rectification

Due to various errors – either yours or the company’s – your personal data stored with them can turn out to be inaccurate or incomplete. If that bothers you or affects you in other ways, you can demand that the data be corrected.

You just have to supply the correct information and the company must update their records – as well as contact all third parties they shared your data with. They have one month to comply.

8.    The Right to Manual Processing

Automated decision-making – profiling – has long been a thorn in the side of privacy advocates. Unfortunately, most people aren’t aware of the influence these automated systems have over our lives.

They can be used, for example, to automatically evaluate your loan application or your insurance premiums. Profiling can be used to predict your health status, performance at workplace, behaviour, preferences, financial situation and more – all without a real person looking at your data. In effect, a computer decision can make life-changing decisions for others, and that could be a source of significant distress if something goes awry.

You have the right not to be subject to these processes in which your data is used to predict your behaviours and outcomes. You must be notified if any such processing takes place, and you have the right to demand human intervention. If an automated decision has been reached, you can demand an explanation for the decision and express your point of view.

Automated processing must not, in any case, concern a child or special categories of personal data (race, sex, religious and political opinions, beliefs, genetic data etc.) unless you have given the company explicit permission for the latter.

Exercise Is Free

It goes without saying that exercise of these rights is free of charge and companies must respond to your requests in a reasonable time frame – a month at most. You can also directly contact the responsible supervisory authority in your country (usually the agency dealing with privacy matters, such as the UK’s ICO) and proceed from there.

As can be seen from the list, the GDPR significantly enhances the individual rights, and the companies will mostly be forced to play fair. Why? If not out of benevolence, then out of fear of getting slapped with a huge fine – up to EUR 20 million or 4 percent of their yearly turnover.