Data protection and online privacy
EU data protection rules guarantee the protection of your personal data whenever they are collected – for example, when you buy something online, apply for a job, or request a bank loan. These rules apply to both companies and organisations (public and private) in the EU and those based outside the EU who offer goods or services in the EU, such as Facebook or Amazon, whenever these companies request or re-use the personal data of individuals in the EU.
It doesn't matter what format the data takes – online on a computer system or on paper in a structured file – whenever information directly or indirectly identifying you as an individual is stored or processed, your data protection rights have to be respected.
When is data processing allowed?
EU data protection rules, also known as the EU General Data Protection Regulation (or GDPR), describe different situations where a company or an organisation is allowed to collect or reuse your personal information:
- they have a contract with you – for example, a contract to supply goods or services (i.e. when you buy something online), or an employee contract
- they are complying with a legal obligation – for example, when processing your data is a legal requirement, for example when your employer gives information on your monthly salary to the social security authority, so that you have social security cover
- when data processing is in your vital interests – for example, when this might protect your life
- to complete a public task – mostly relating to the tasks of public administrations such as schools, hospitals, and municipalities
- when there are legitimate interests – for example, if your bank uses your personal data to check whether you'd be eligible for a savings account with a higher interest rate
In all other situations, the company or organisation must ask for your agreement (known as "consent") before they can collect or reuse your personal data.
Agreeing to data processing – consent
When a company or organisation asks for your consent, you have to make a clear action agreeing to this, for example by signing a consent form or selecting yes from a clear yes/no option on a webpage.
It is not enough to simply opt out, for example by checking a box saying you don't want to receive marketing emails. You have to opt in and agree to your personal data being stored and/or re-used for this purpose.
You should also be given the following information before you decide to opt in:
- information about the company/ organisation that will process your data, including their contact details, and the contact details of the Data Protection Officer (DPO) if there is one
- the reason why the company /organisation will use your personal data
- how long they intend to keep your personal data
- details of any other company or organisation that will receive your personal data
- information on your data protection rights (access, correction, deletion, complaint, withdrawal of consent)
All this information should be presented in a clear and understandable way.
Withdrawing consent to use personal data and the right to object
If you previously gave your consent for a company or organisation to use your personal data, you can contact the data controller (the person or body handling your personal data) and withdraw your permission at any time. Once you've withdrawn your permission, the company or organisation can no longer use your personal data.
When an organisation is processing your personal data on the basis of their own legitimate interest or as part of a task in the public interest or for an official authority, you may have the right to object. In some specific cases, public interest may prevail and the company or organisation may be allowed to continue using your personal data. For example, this could be the case for scientific research and statistics, a task performed as part of the official role of a public authority.
For direct marketing emails that promote particular brands or products, your prior consent is required. However, if you are an existing customer of a particular company, they can send you direct marketing emails about their own similar products or services. You have the right to object at any time to receiving such direct marketing and the company have to stop using your data immediately.
In all cases, you should always be given information about the right to object to the use of your personal data the first time that the company or organisation contacts you.
You can object to your data being used for direct marketing
Anatolios bought two tickets online to see his favourite band play in a live concert. Since buying the tickets, Anatolios started receiving emails with adverts for concerts and events that he wasn't interested in. He contacted the online ticketing company and asked them to stop sending him these advertising emails. The company immediately removed him from their direct marketing lists. Anatolios was happy that he didn't get any more advertising emails from them.
Specific rules for children
If your children want to use online services, such as social media, downloading music or games, they will often need approval from you, as their parent or legal guardian, as these services use the child's personal data. Your child will no longer need parental consent once they're aged over 16 (in some EU countries this age limit might be as low as 13). Controls to check parental consent have to be effective, for example by using a verification message sent to a parent's email address.
Access to your personal data
You can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format. They should reply to you within 1 month and have to give you a copy of your personal data and any relevant information about how the data has been used, or is being used.
You have a right to know what data is stored about you and how it's used
Maciej, from Poland, recently subscribed to his local supermarket's loyalty scheme. Shortly after joining the scheme, he noticed he started receiving better discount vouchers for his shopping. He wondered if this was related to the loyalty scheme, so he asked the supermarket's data protection officer to tell him which information was being stored about him and how it was being used. Maciej discovered that the supermarket kept data on the products he bought every week and then was able to give him discounts related to the specific products he liked to buy.
Correcting your personal data
If a company or organisation has stored personal data about you that isn't correct or is missing some information, then you can ask them to correct or update your data.
You have the right to correct incorrect data about yourself
Alison wanted to buy a new house in Ireland and applied for a mortgage from her bank. When completing the registration form, she made a mistake entering her date of birth and the bank registered her age incorrectly in their system.
When Alison got the offers for her new mortgage and associated life insurance, she realised the mistake, as her insurance premium was much higher than her current one. She contacted the bank and asked them to correct her personal data in their system. She then received a new version of the insurance offer that correctly indicated her date of birth.
Transferring your personal data (right to data portability)
In certain situations, you can ask a company or organisation to return your data to you or to transfer it directly to another company, if this is technically possible. This is known as "data portability". For example, you can use this right if you decide to switch from one service to another similar service – for example moving from one social media site to a new one – and you'd like your personal information to be quickly and easily transferred to the new service.
Deleting your personal data (the right to be forgotten)
If your personal data is no longer needed or is being used unlawfully then you can ask for your data to be erased. This is known as "the right to be forgotten".
These rules also apply to search engines, such as Google, as they're also considered to be data controllers. You can ask for links to web pages including your name to be removed from search engine results, if the information is inaccurate, inadequate, irrelevant or excessive.
If a company has made your personal data available online and you ask for them to be deleted, the company also has to inform any other websites where they've been shared that you've asked for your data and links to them to be deleted.
To protect other rights, such as freedom of expression, some data may not be automatically deleted. For example, controversial statements made by people in the public eye, might not be deleted if public interest is best served by keeping them online.
You can ask for your personal data to be deleted and removed from other websites
Alfredo decided he no longer wanted to use any social media, so he deleted his profile from the social media sites he was using. However, a few weeks later he found his old profile photos from his social media accounts were still visible when he looked up his name in an internet search engine. Alfredo contacted the social media companies and asked them to ensure that these photos were removed. When he searched a month later, the photos had indeed been removed and they no longer appeared in the search engine results.
Unauthorised access to your data (data breach)
If your personal information is stolen, lost or illegally accessed – known as a 'personal data breach' – the data controller (the person or body handling your personal data) must report it to the national data protection authority. The data controller must also inform you directly if there are serious risks related to your personal data or privacy due to the breach.
Making a complaint
If you think your data protection rights have not been respected, you can make a complaint directly to your national data protection authority which will investigate your complaint and give you a response within 3 months.
You can also chose to file a case directly in court against the company or organisation concerned instead of first going to your national data protection authority.
You may be entitled to compensation if you suffer material damage, such as financial loss, or non-material damage, such as psychological distress, due to a company or organisation not respecting EU data protection rules.
What about cookies?
Cookies are small text files that a website asks your browser to store on your computer or mobile device. Cookies are widely used to make websites work more efficiently by saving your preferences. They are also used to follow your internet use as you browse, make user profiles and then display targeted online advertising based on your preferences.
Websites should explain how the cookie information will be used. You should also be able to withdraw your consent. If you choose to do so, the website still has to provide some sort of minimum service for you, for example, providing access to a part of the website.
Not all cookies require your consent. Cookies used for the sole purpose of carrying out the transmission of a communication do not require consent. This includes, for example, cookies used for "load balancing" (enabling web server requests to be disctributed over a pool of machines instead of just one). Cookies that are strictly necessary to provide an online service that you explicitly requested also do not need consent. This includes, for example, cookies used when you fill in an online form or when you use a shopping basket when shopping online.