EU data protection rules guarantee the protection of personal data in all cases where it is collected: for example, when buying online, submitting a job application or requesting a bank loan. These rules apply both to companies and organizations (public and private) based in the EU and to those that have their headquarters outside of it and offer goods and services in the EU , such as Facebook or Amazon, whenever these companies request or reuse personal data of citizens of the European Union.
It does not matter the format in which the data is collected (online, on a central computer or on paper, in a structured file); Whenever information that directly or indirectly identifies you as an individual is stored or processed, your data protection rights must be respected.
When is data processing allowed?
The EU data protection rules, also known as the General Data Protection Regulation (RGPD), describe the different situations in which a company or organization is authorized to collect or reuse your personal information :
conclusion of a contract: for example, a contract for the supply of goods or services (that is, when buying online) or an employment contract
compliance with a legal obligation: for example, when the processing of your data is a legal requirement, if the employer provides information about your monthly salary to the social security body so that you have social security coverageprotection of your vital interestscarrying out a public task, in particular everything related to the tasks of public administrations, such as schools, hospitals, municipalities,
Satisfaction of legitimate interests: for example, if your bank uses your personal data to check if you can qualify for a savings account with a higher interest rate.In all other situations, the company or organization must request your authorization (called “consent”) before it can collect or reuse your personal data.
Authorize data processing: consent When a company or organization asks for your consent, you have to clearly indicate your authorization , for example by signing a consent form or unequivocally selecting a “yes / no” option on a web page.
Simply checking the box that you do not want to receive emails for commercial purposes is not enough. You must accept and authorize that your personal data be collected and / or reused for this purpose.
Before deciding whether to accept or not, you should also receive the following information:
information about the company / organization that will process your personal data, in particular their contact details and the contact details of the data protection officer, if applicable the reason why the company / organization will use your personal data how long will your personal data be kept details of any other company or organization that will receive your personal data information about your rights regarding data protection (access, rectification, deletion, claim and withdrawal of consent).
All this information must be provided in a clear and understandable way .
Withdrawal of consent for the use of personal data and right of opposition
If you have already given your consent to a company or organization to use your personal data, you can contact the data controller (the person or body that manages your personal data) and withdraw your consent at any time. Once consent is withdrawn, the company or organization can no longer use your personal data .
You can exercise your right of opposition if an organization uses the processing of your personal data for its own legitimate interest or as part of a mission carried out in the public interest or for a public administration. In some specific cases, the public interest prevails and the company or organization may be authorized to continue using your personal data. For example, in the case of scientific and statistical research, tasks performed within the official functions of a public administration.
Direct marketing emails promoting specific brands or products require prior consent. However, if you are a customer of a certain company, they can send you direct marketing messages about their own similar products or services. You have the right to object at any time to receiving direct marketing messages and the company must immediately stop using your data .
In all cases, the first time the company or organization addresses you, it must always provide you with information on the right of opposition to the use of your personal data.
Specific rules for children
Generally, children need the authorization of parents or legal guardians to use online services, such as connecting to social networks, downloading music or games, since these services use their personal data. Upon reaching 16 years of age, they no longer need parental authorization (in some EU countries the age limit can be up to 13 years). Controls to verify that parents have given their authorization must be effective, for example by sending a message to a father’s or mother’s email address.
Consult your personal data
You can request access to the personal data that a company or organization has about you and you have the right to obtain a copy of that data, free of charge, in an accessible format. They must respond to you within a month and they must give you a copy of your personal data and all relevant information on how they have used or are using your data .
Rectify your personal data.
If a company or organization stores personal data about you that is incorrect or incomplete, you can ask them to correct or update it .
Transfer your personal data (right to data portability)
In certain circumstances, you can ask a company or organization to return your data or transfer it directly to another company , if technically possible. This is what is known as “data portability”. You can use this right, for example, if you decide to switch from one service to another similar service —such as going from one social network to another— and you want your personal data to be transferred quickly and easily to the new service.
Delete your personal data (right to be forgotten)
If your personal data is no longer necessary or is used illegally, you can request its deletion. It is what is known as “right to be forgotten”.
These rules also apply to search engines , such as Google, as they are also held responsible for processing. You can request that links to web pages that include your name be removed from search engine results when the information is inaccurate, inadequate, irrelevant or excessive.
If a company has made your personal data available on the internet and you request that it be deleted, the company must also communicate to all the websites where it has shared that you have requested that your data and the corresponding links be deleted.
To protect other rights, such as freedom of expression, some data may not be automatically erased. For example, controversial statements made in public may not be suppressed if it is in the public interest to keep them online.
Unauthorized access to your data (violation of personal data)
In the event of theft, loss or illegal access to your personal information, which is known as “personal data breach” , the controller (the person or body that manages your personal data) must notify the national protection authority of data . The controller must also inform you directly if, as a result of the data breach, your personal data or your privacy is exposed to serious risks.
File a claim
If you believe that your data protection rights have not been respected, you can file a complaint directly with the national data protection authority , which will investigate the complaint and give you an answer within three months.
You can also present the case directly in court against the company or organization in question, instead of going before the national data protection authority.
You may be entitled to compensation if you suffer material damage, such as financial loss, or moral damage, such as psychological disorders, due to a company or organization that has not respected the EU data protection rules.