Last checked : 23/04/2018
This page covers the new EU data protection rules - known as the General Data Protection Regulation (GDPR) - which apply from 25 May 2018. Until then, the existing rules apply.
EU data protection rules guarantee the protection of your personal data whenever they are collected – for example, when you buy something online, apply for a job, or request a bank loan. These rules apply to both companies and organisations (public and private) in the EU and those based outside the EU who offer goods or services in the EU, such as Facebook or Amazon, whenever these companies request or re-use the personal data of individuals in the EU.
It doesn't matter what format the data takes – online on a computer system or on paper in a structured file – whenever information directly or indirectly identifying you as an individual is stored or processed, your data protection rights have to be respected.
EU data protection rules, also known as the EU General Data Protection Regulation (or GDPR), describe different situations where a company or an organisation is allowed to collect or reuse your personal information:
In all other situations, the company or organisation must ask for your agreement (known as "consent") before they can collect or reuse your personal data.
When a company or organisation asks for your consent, you have to make a clear action agreeing to this, for example by signing a consent form or selecting yes from a clear yes/no option on a webpage.
It is not enough to simply opt out, for example by checking a box saying you don't want to receive marketing emails. You have to opt in and agree to your personal data being stored and/or re-used for this purpose.
You should also be given the following information before you decide to opt in:
All this information should be presented in a clear and understandable way.
If you previously gave your consent for a company or organisation to use your personal data, you can contact the data controller (the person or body handling your personal data) and withdraw your permission at any time. Once you've withdrawn your permission, the company or organisation can no longer use your personal data.
When an organisation is processing your personal data on the basis of their own legitimate interest or as part of a task in the public interest or for an official authority, you may have the right to object. In some specific cases, public interest may prevail and the company or organisation may be allowed to continue using your personal data. For example, this could be the case for scientific research and statistics, a task performed as part of the official role of a public authority.
For direct marketing, such as emails promoting particular brands or products, you have the right to object at any time to receiving direct marketing and the company have to stop using your data immediately.
In all cases, you should always be given information about the right to object to the use of your personal data the first time that the company or organisation contacts you.
Anatolios bought two tickets online to see his favourite band play in a live concert. Since buying the tickets, Anatolios started receiving emails with adverts for concerts and events that he wasn't interested in. He contacted the online ticketing company and asked them to stop sending him these advertising emails. The company immediately removed him from their direct marketing lists. Anatolios was happy that he didn't get any more advertising emails from them.
If your children want to use online services, such as social media, downloading music or games, they will often need approval from you, as their parent or legal guardian, as these services use the child's personal data. Your child will no longer need parental consent once they're aged over 16 (in some EU countries this age limit might be as low as 13). Controls to check parental consent have to be effective, for example by using a verification message sent to a parent's email address.
You can request access to the personal data a company or organisation has about you, and you have the right to get a copy of your data, free of charge, in an accessible format. They should reply to you within 1 month and have to give you a copy of your personal data and any relevant information about how the data has been used, or is being used.
Maciej, from Poland, recently subscribed to his local supermarket's loyalty scheme. Shortly after joining the scheme, he noticed he started receiving better discount vouchers for his shopping. He wondered if this was related to the loyalty scheme, so he asked the supermarket's data protection officer to tell him which information was being stored about him and how it was being used. Maciej discovered that the supermarket kept data on the products he bought every week and then was able to give him discounts related to the specific products he liked to buy.
If a company or organisation has stored personal data about you that isn't correct or is missing some information, then you can ask them to correct or update your data.
Alison wanted to buy a new house in Ireland and applied for a mortgage from her bank. When completing the registration form, she made a mistake entering her date of birth and the bank registered her age incorrectly in their system.
When Alison got the offers for her new mortgage and associated life insurance, she realised the mistake, as her insurance premium was much higher than her current one. She contacted the bank and asked them to correct her personal data in their system. She then received a new version of the insurance offer that correctly indicated her date of birth.
In certain situations, you can ask a company or organisation to return your data to you or to transfer it directly to another company, if this is technically possible. This is known as "data portability". For example, you can use this right if you decide to switch from one service to another similar service – for example moving from one social media site to a new one – and you'd like your personal information to be quickly and easily transferred to the new service.
If your personal data is no longer needed or is being used unlawfully then you can ask for your data to be erased. This is known as "the right to be forgotten".
These rules also apply to search engines, such as Google, as they're also considered to be data controllers. You can ask for links to web pages including your name to be removed from search engine results, if the information is inaccurate, inadequate, irrelevant or excessive.
If a company has made your personal data available online and you ask for them to be deleted, the company also has to inform any other websites where they've been shared that you've asked for your data and links to them to be deleted.
To protect other rights, such as freedom of expression, some data may not be automatically deleted. For example, controversial statements made by people in the public eye, might not be deleted if public interest is best served by keeping them online.
Alfredo decided he no longer wanted to use any social media, so he deleted his profile from the social media sites he was using. However, a few weeks later he found his old profile photos from his social media accounts were still visible when he looked up his name in an internet search engine. Alfredo contacted the social media companies and asked them to ensure that these photos were removed. When he searched a month later, the photos had indeed been removed and they no longer appeared in the search engine results.
If your personal information is stolen, lost or illegally accessed – known as a 'personal data breach' – the data controller (the person or body handling your personal data) must report it to the national data protection authority. The data controller must also inform you directly if there are serious risks related to your personal data or privacy due to the breach.
If you think your data protection rights have not been respected, you can make a complaint directly to your national data protection authority which will investigate your complaint and give you a response within 3 months.
You can also chose to file a case directly in court against the company or organisation concerned instead of first going to your national data protection authority.
You may be entitled to compensation if you suffer material damage, such as financial loss, or non-material damage, such as psychological distress, due to a company or organisation not respecting EU data protection rules.