Your GDPR Privacy Rights: What You Need to Know

What Is the GDPR?

The General Data Protection Regulation is a comprehensive privacy law that took effect in the European Union in May 2018. It represents the most significant overhaul of data protection legislation in decades, giving individuals unprecedented control over their personal data and imposing strict obligations on organizations that collect and process it.

While the GDPR is an EU regulation, its impact extends far beyond European borders. Any company that offers goods or services to EU residents or monitors their behavior must comply, regardless of where the company is headquartered. This means that major technology companies, social media platforms, and online retailers worldwide have had to adapt their data practices to comply with GDPR requirements.

Understanding your GDPR rights empowers you to take control of your personal data. Even if you live outside the EU, many companies now extend similar privacy protections globally, and other jurisdictions have enacted similar laws inspired by the GDPR, including the California Consumer Privacy Act and Brazil's LGPD.

Your Core GDPR Rights Explained

Right of Access

You have the right to request confirmation of whether a company processes your personal data and to obtain a copy of that data. This is commonly known as a Subject Access Request. Companies must respond within 30 days and provide the information free of charge.

When you submit an access request, the company must tell you what data they hold about you, why they are processing it, who they have shared it with, how long they plan to retain it, and the source of the data if it was not collected directly from you. This transparency often reveals surprising amounts of information that companies have accumulated about you.

Right to Rectification

If a company holds inaccurate or incomplete personal data about you, you have the right to have it corrected. This applies to factual errors like a misspelled name or wrong address, as well as incomplete records. The company must make corrections without undue delay and inform any third parties with whom they shared the incorrect data.

Right to Erasure

Often called the "right to be forgotten," this allows you to request that a company delete your personal data under certain circumstances. These include situations where the data is no longer necessary for its original purpose, you withdraw your consent, you object to processing and there are no overriding legitimate grounds, or the data was processed unlawfully.

However, this right is not absolute. Companies may retain data when required by law, for establishing legal claims, for public health purposes, or for archiving in the public interest. When erasure is granted, the company must also inform any third parties who received the data.

Right to Data Portability

This right allows you to receive your personal data in a structured, commonly used, machine-readable format and to transfer it to another service provider. For example, you could request all your data from one social media platform and potentially import it to another.

Data portability applies to data you have provided directly, whether through active input or through observation of your activities, and only where processing is based on your consent or a contract. This right helps prevent vendor lock-in and gives you genuine control over your digital life.

Right to Restriction of Processing

In certain circumstances, you can request that a company stop using your data while keeping it stored. This applies when you contest the accuracy of data, when processing is unlawful but you prefer restriction over deletion, when the company no longer needs the data but you require it for legal claims, or while a decision on your objection to processing is pending.

Right to Object

You have the right to object to processing of your personal data for direct marketing purposes, which the company must honor without exception. You can also object to processing based on legitimate interests or public interest grounds, in which case the company must stop unless they can demonstrate compelling legitimate grounds that override your interests.

How to Exercise Your GDPR Rights

Submitting a Request

Most companies now provide privacy settings or dedicated portals for submitting GDPR requests. Look for links labeled "Privacy," "Data Protection," or "Your Rights" in website footers or account settings. If no self-service option exists, email the company's Data Protection Officer or the contact listed in their privacy policy.

Your request should clearly state which right you are exercising, provide enough information to verify your identity, and specify what data or processing your request concerns. Keep a copy of all correspondence for your records.

What to Expect

Companies must acknowledge your request promptly and respond substantively within 30 days. In complex cases, they may extend this by an additional 60 days but must inform you of the delay and the reasons. If a company refuses your request, they must explain why and inform you of your right to complain to a supervisory authority.

When Companies Do Not Comply

If a company fails to respond adequately or refuses your request without valid justification, you can lodge a complaint with the data protection authority in any EU member state. You also have the right to seek a judicial remedy against a company or even against a supervisory authority decision.

Taking Practical Steps to Protect Your Data

Beyond exercising formal GDPR rights, adopt proactive habits to minimize unnecessary data exposure. Use our metadata remover to strip identifying information from photos before sharing them online. Generate strong, unique passwords with our password generator for every account. Regularly review the privacy settings on your online accounts and revoke access to third-party apps you no longer use. The combination of knowing your rights and practicing good data hygiene creates a robust privacy posture that protects you in an increasingly data-driven world.