The GDPR is meant to empower individuals (data subjects) by giving them control over the information that others have about them (their personal data). Every person has the right to find out what data a company has on them, how it is processed, and take action if they think that their data is being processed illegally (the General Data Protection Regulation or GDPR).
These rights can be enforced via data protection authorities (DPAs) and courts.
We encourage everybody to make use of their fundamental right to privacy by providing information on how to do so.
Your Rights under the GDPR are:
- Access your data
- Withdraw your consent
- Object to the processing of your data
- Correct your data
- Have your data deleted
- Transfer your data
- Restrict processing
- Complain to your DPA
Exercising your rights under the GDPR is simple and an informal email is sufficient in most cases. Please keep the following in mind:
Finding contact details
- Data subject rights must be respected by the controller, i.e. the company handling your data. You can usually find the relevant email address in the “privacy policy” or the “contact us” section on the company’s website. Most companies have a dedicated email address and a data protection officer who is responsible for data protection inquiries.
You can also use any other contact form, but dedicated data protection emails or forms usually get the quickest results.
Means of communication
- You can choose any common means of communication to exercise your rights, for example:
- You can exercise your rights by sending an informal email or letter to the company and mentioning the relevant Article of the GDPR you are referring to.
- You can use templates for exercising your GDPR rights. While they may not fit each case, you can often find official templates on the website of your local data protection authority.
- You can use the web form on the company’s website, if you can specifically make a GDPR request with them, not just an informal request.
- You can use tools for requests like mydatadoneright.eu.
- Companies may not ask you to provide identification or authentication beyond what is strictly necessary for them to identify and authenticate you. It would, for example, be excessive to ask for an ID if a company does not have your name yet and can therefore not link the ID with your account.
- Exercising your rights is always free of charge – if a company wants to charge you, you can file a complaint, this also includes “premium” of “fast” responses.
Identification & Authentication
- For the company to find the relevant data on you, you should provide means to identify you. For example, you can share an identifier used by the company (e.g. a username, email, customer number or name). You can also include additional information such as your phone number or date of birth (if you provided it when you signed up), username, or IP address if this is relevant in the context of your request.
- A company can ask you additional information to confirm that you are the person you pretend to be (authentication). This is also important for security reasons, so that only the actual data subject can access or change their data. Depending on the context, it may be sufficient to log in with your password and make the request from within a system. In other cases, you may provide information that only you know or provide typical identification documents (ID, passport, driver licence).
Drafting your request
- You can make a broad or a specific request. For example, you can ask for all data that a company has on you, or very specific data. The broader your request, the harder it is for the company to hide information. At the same time, a narrow request may be answered quicker.
- Make sure to have a copy and proof of the time you sent the request, as this is relevant for deadlines and in case there are disputes at a later stage.
- Include all relevant evidence and details that you think is needed to understand and process your concern or request.
- Add a line that the company should get back to you if they have further questions.
Next Steps
- Once the company receives your request, they have a maximum of one month to respond, but should always answer as soon as possible. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.
- If the company does not respond within a month (or an extended period of maximum 3 months) or refuses (parts) of your request, you are entitled to file a complaint with a data protection authority (e.g. the DPA where you live or work).
- Keep records of all correspondences with the company, always mention the dates on your correspondence, and keep copies of everything
Need help in assessing the legal elements of a company’s reply? You can contact us at info@noyb.eu to discuss further steps.