Updated : 20/06/2017
EU data protection rules mean that your personal data can only be processed in certain situations and under certain conditions, such as:
Personal data about your racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade-union membership or health may not be processed except in specific cases (e.g. when you've given explicit consent or when processing is needed for reasons of substantial public interest, on the basis of EU or national law).
These rules apply to both public and private bodies.
The person or body handling your data is called the 'data controller'. They have to respect EU rules about how they handle and store your personal data:
If sensitive personal information is stolen, lost or illegally accessed – known as a 'personal data breach' – the provider must report it to the national data protection authority. The data controller must also inform you directly if there are any risks related to your personal data or privacy due to the breach.
EU rules on personal data protection and privacy in electronic communications cover internet communication, such as access to internet, and communication via mobile and fixed phone networks.
Your service provider must comply with the following rules:
Maria, from Spain, spends a lot of time chatting with friends on the internet. After seeing some stories in the news she began to get a bit worried that her service provider could be tracking her messages.
Maria then checked the website of the Spanish data protection authority and was reassured about her right to confidentiality while online, and what her service provider could or could not do with her personal data.
A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. Cookies are widely used to make websites work more efficiently by saving your preferences. Tracking cookies are also used to follow your internet use as you browse, make user profiles and then display targeted online advertising based on your preferences.
You have the right, in certain cases, to ask data controllers to correct, remove or block incorrect data about yourself. This is known as 'the right to be forgotten'. These rules also apply to search engines, such as Google, as they're also considered to be data controllers.
You can ask for links to personal information about yourself to be removed from a search engine where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.
For more information see: Factsheet on the ECJ's ruling on the 'right to be forgotten' in relation to online search engines
If you think that your data is not being handled according to the rules or has been processed illegally, you can send a complaint to the data controller (the person or body processing your data).
You have the right to:
If you don't get a reasonable answer from the data controller, you can send a complaint to your national data protection authority.
Each EU country has to have at least 1 data protection supervisory authority. They make sure that data protection law is correctly applied and handle any complaints about breaches of the rules.
You should send your complaint in writing to your national data protection authority. In some countries there is a standard form for complaints or complaints can be sent by email.
If the supervisory authority finds that data protection law has not been respected, it can order data to be erased or destroyed, and can ban further data processing by the data controller in question.
Search in the list of national data protection authorities.
Infringements of the ePrivacy Directive are sometimes enforced by a different national authority rather than the data protection authority. Search in the list of competent authorities for ePrivacy.
You can also present your case directly to the competent national court.