What are my GDPR rights?

Privacy rights are legal rights that give people control of their own personal data and the authority to prevent others from exposing it to public scrutiny. Long before GDPR rights, the idea of privacy rights was recognized in various cultures throughout history. However, in the mid-20th century, as technology advanced, the need for privacy protections became more apparent.

In 1948, the United Nations adopted the Universal Declaration of Human Rights, which includes the right to privacy as a fundamental human right. In the 1960s and 1970s, many countries introduced their first data protection laws to regulate the collection, use, and disclosure of personal information.

The last 5 years are marked by a special interest in privacy rights. The EU’s GDPR came into effect in 2018, and it inspired slews of other countries and regions to update or create their own privacy laws. So what exactly are your GDPR rights?

Most of the time, especially in the EU, when we talk about privacy rights, we are talking about GDPR rights. That is, the 8 specific privacy rights granted to individuals under the General Data Protection Regulation (GDPR).

Here are the eight GDPR rights that individuals can exercise regarding their personal data:

1. 1. Right to be informed
   2. Right of access
   3. Right to rectification
   4. Right to erasure
   5. Right to restrict processing
   6. Right to data portability
   7. Right to object
   8. Right not to be subject to automated decision-making

Each of these rights gives individuals more control over their personal data, and requires organizations that collect and process personal data to do so in a transparent and accountable manner. The GDPR also sets out specific requirements for organizations to comply with in relation to each of these rights, including timelines for responding to requests, and the information that must be provided to individuals when their rights are exercised.

You can exercise your GDPR data privacy rights by contacting an organization with almost any question about their data. We call all such requests Data Subject Access Requests or DSARs. GDPR doesn’t require you to follow a certain procedure to make a data request, but ideally, you should:

Find out to whom you should direct the request
The organization should have a designated portal, person, or department to handle GDPR requests. You should be able to find instructions for making your request on the organization’s website. Check their privacy policy or contact their customer service department.

Draft a simple request and submit
GDPR gives you a lot of freedom when it comes to how you can make a request and doesn’t require special wording or legal jargon. However, it’s best to use simple language and explain exactly what you want. This will make it easier for the company to respond to you without delay.

Provide proof of identity
The company may ask you to provide some proof of your identity. As a rule, companies should only ask you for email or SMS verification.  In some cases, the organization may have to ask you to provide further proof of your identity.

Wait for a response
The organization should notify you that they have received your request. Then, they will have about one month to respond to your request. They may get an extension in certain circumstances. They should either fulfill the request on time or provide a valid reason for not doing so.

If everyone who made a data request did so as we outlined above, complying with data privacy rights would be a lot easier for companies. Unfortunately, the reality is often much more chaotic.

Since there isn’t a set requirement for how people send in their requests, it’s easy to miss or overlook them. If a request isn’t specific enough or it involves a large volume of data, the company may end up spending hours and hours on it. And, without the proper tools, it’s almost impossible for the company to be sure if they’ve really found all your data.

Here at Safe Online, we make it easy for companies to honor people’s GDPR rights. Data privacy rights are important, but they should not consume all of a company’s time and resources. Companies that use our automated tools can respond to data requests quickly, build trust with their customers and just keep them happy.

Read more about our tools for companies:

DataMapper lets companies quickly find a specific person’s data.
ShareSimple makes communicating with people about their personal data safe.
RequestManager sets up a data request portal to streamline the whole GDPR rights process.