A USER GUIDE TO

DATA PROTECTION
IN THE
EUROPEAN UNION
Your rights & how to exercise them

accessnow.org
A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 2
 INTRODUCTION

Access Now presents A user guide to data protection in the European

Union - Your rights and how to exercise them to help you exercise your
right to data protection. This guide gives you information about the rights
encompassed under the EU law on data protection as well as information
on how to use these rights.

The European Union General Data Protection Regulation is a positive

framework for users’ protection and can help you take back the control
of your personal information. This law replaces and strengthens the
1995 Data Protection Directive. Access Now is a strong supporter of the
GDPR. In fact, we worked with lawmakers in Europe to strengthen users’
protections throughout the introduction, negotiations, and adoption of the
law. After almost five years of debate, the GDPR became applicable on 25
May 2018. With this guide, we aim to contribute to the long-term mission
of the GDPR by giving you the necessary information and tools to exercise
your rights.

We invite you to read this guide carefully, so you can use your rights to
make data protection a reality.

Brussels, July 2018

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 3

 WHAT IS THE GENERAL DATA
PROTECTION REGULATION?

Personal data is any information Data protection refers to the

relating to you, whether it relates to practices, safeguards, and binding
your private, professional, or public rules put in place to protect your
life. In the online environment, personal information and ensure
where vast amounts of personal that you remain in control of it.
data are shared and transferred In short, you should be able to
around the globe instantaneously, decide whether or not you want
it is increasingly difficult for to share some information, who
people to maintain control of their has access to it, for how long, and
personal information. This is where for what reason, and to be able to
data protection and laws such as modify some of this information,
the GDPR come in. and more. In the EU, these rules
are defined under the General Data
Protection Regulation. The GDPR
is a user-centric law which aims
to put you back in control of your
personal data, providing for the
broad spectrum of users’ rights
presented in this guide.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 4

 WHAT IS THE GENERAL DATA
PROTECTION REGULATION?

Under the GDPR, both private companies such as Facebook,

Microsoft, Dropbox, Amazon, or Spotify and government bodies
have the obligation to ensure the protection of your personal
data. To be protected under the GDPR, you have to either be
a citizen of the European Union or be located in the EU, no
matter where you are from.

The GDPR comes with a robust enforcement mechanism

which empowers data protection authorities to investigate
data practices and fine companies or public entities up to 4%
of their total worldwide annual turnover if they ignore their
legal obligations and commit repeated, serious infringements
of your rights. These fines are significant and proportionate
to the gravity of the infringement on individuals’ fundamental
rights. For far too long, a handful of companies have been
diligently ignoring the EU’s data protection norms, which have
been in place since 1995. With this new framework, the data
protection authorities are better equipped to deal with free riders.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 5

 What are my rights?
THE RIGHT TO INFORMATION

When a company, a government body, or an

All this information should
organisation collects and uses information about you,
be provided to you in a
you have the right to get information about: concise, transparent,
intelligible way, using clear
• the name of the entity using your data, and plain language. This
means that an entity must
• the contact information of the person or department in
have terms of service and a
charge of personal data protection at this entity,
privacy policy that are easily
• the reason for which the entity will use your data, understood, which has not
typically been the case.
• the type of personal data the entity holds about you,
Relevant article under
• the length of time your data will be kept,
the GDPR: Articles 12, 13,
• whether your data will be shared with third parties and and 14.
who they are,
• whether your data will be used for automated decision-
making via algorithms,
• whether data will be moved outside the EU,
• your other basic data protection rights,
• your right to file a complaint, and
• what legal basis has been used to authorise the
collection and use of your personal data. There are
seven legal grounds authorising entities to use personal
data under the GDPR, such as your explicit and informed
consent or the execution of a contract.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 6

 What are my rights?
THE RIGHT OF ACCESS

No matter how your information was collected, you

You can exercise this right
have the right to ask for and obtain information from a several times at reasonable
company, a government body, or an organisation as to intervals, but if your
whether it holds any personal data about you. requests are repetitive, an
entity may ask a fee from
If an entity has information about you, you then have the second request. Keep
in mind that this right is not
the right to be provided, free of charge, a copy of your absolute. If your request
data and any relevant additional information regarding impacts the rights and
the reason your information was collected and used, freedoms of others, you
may receive only a partial
how long it has been kept, whether it was disclosed to
copy of this information, or
a third party, and more. Unless you ask otherwise, you none. However, the entity
will be provided a copy of your data electronically (e.g., shall explain why it was not
via email or online forms). possible to provide you with
the information.

Relevant article under the

GDPR: Article 15

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 7

 What are my rights?
THE RIGHT TO RECTIFICATION

You have the right to amend and modify the information

Once you have notified the
that a company, government body, or organisation has entity, it has the obligation
about you if this information is incorrect, incomplete, to change your information
or inaccurate (for instance, if you have changed your within a month. During this
contact details or residence). period, the entity can refuse
to modify the information
but must then notify you and
explain why.

Relevant article under the

GDPR: Article 16

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 8

 What are my rights?
THE RIGHT TO RESTRICT PROCESSING

Under certain circumstances, you have the right

In addition, when you have
to request that a company, government body, or consented to use of your
organisation stop using or limit the use of information personal data, you have
about you so that you can verify the way that the entity the right to withdraw that
is using it. consent at any time by
notifying the entity.
As an example, you can exercise this right when:
Relevant article under the
• it is unclear whether and when personal data about GDPR: Article 18
you will be deleted,
• the accuracy of the data is contested,

• the data is no longer needed for the purposes it was

originally collected but it cannot be deleted because
of legal obligations, and
• you have exercised your right to object to the use of
your data altogether but the decision is pending.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 9

 What are my rights?
THE RIGHT TO ERASURE

You have the right to ask for the deletion of your

Keep in mind that when
personal data when: you ask that your data be
deleted, companies may
• a company, government body, or organisation holds
retain information they
information about you that is no longer needed (for
have created based on
instance, if you have chosen to leave a service or a your data. For instance,
platform), or a company like Facebook
• your data has been used unlawfully. that creates profiles or
makes assumptions about
you based on your “likes”
In addition, personal data that you provided before you
or browsing habits may
were 16 years old can be deleted at any time at your
keep that information. We
request. The age requirement for children may vary in
encourage you to request
some EU states from 13 to 16 years old. deletion of this information
explicitly when you leave a
platform, and if they fail to
act, to bring a complaint.

Relevant article under the

GDPR: Article 17

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 10

 What are my rights?
THE RIGHT TO OBJECT

You have the right to object to the collection, use,

Your right to object to use
and storage of your personal data by a company, of your data for decision-
government body, or organisation when: making that is based solely
on automated processes
• your data is being used for direct marketing is perhaps one of the most
(After your request, the entity must stop using your important rights in the
personal data and comply with your request free of era of big data. Through
charge.), techniques like profiling,
your information is gathered
• your data is being used for automated decision
to be evaluated, analysed,
making, including profiling, where no human
and used to predict your
intervention or review will take place,
behaviour and make
• your data is being used for scientific or historical assumptions about you. This
research and statistics, and practice is fundamentally
contrary to your right to
• your data is being used for an entity’s “legitimate privacy and can be highly
interest” or in carrying out a task in the public discriminatory.
interest.
Even if your right to object
In the last two scenarios, your right to object may be is limited under national
limited if the entity can demonstrate that the use of laws, we encourage you to
your data is necessary and that the reason for using it exercise this right and bring
a complaint if necessary.
overrides your interests, rights, and freedoms.
Relevant article under the
GDPR: Article 21

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 11

 What are my rights?
THE RIGHT TO AN EXPLANATION

When your data is used to make a decision about

Relevant article under the
you, with an automated process such as the use GDPR: Recital 71, Articles 13
of algorithms, you have the right to be given an to 15
explanation about its functioning. While the GDPR does
not spell out details about the information you should
receive, we recommend that you at least request:

• the information that was entered into the automated

system,
• the reason for the use of the automated system (for
example to calculate a credit or insurance rate, or
decide on hiring),
• the objective of the use of the automated system
(for example to speed up processes, or to limit
mathematical errors),
• whether a human intervention and review of the
process and decision will take place (if not, you have
the right to object to the use of such an automated
system), and
• your ability to challenge the decision made through
use of the automated system, and to ask for a
review.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 12

 What are my rights?
THE RIGHT TO DATA PORTABILITY

You have the right to move your data from one service
This right is a novelty under
to another, and as such, to receive a file with your data protection law and can
information in a structured, commonly used, and help foster innovation and
machine-readable format. This means that if you competition in the digital
wish to move to a new social media platform, for era, since it allows users to
example, you can do so quickly and easily by taking more easily switch between
platforms. However, in order
your data from the old platform to the new one. When
for this right to deliver its
it is technically feasible, you can directly request that promise and for users and
your personal data be transferred to another company innovators to truly benefit
whose services you would like to use. This right from it, it will be important
relates only to information that you have provided to to develop and implement
companies. Any data that companies collect or create interoperability standards
between services. This
based on your data will not necessarily be provided in a
means that platforms
portable file. should use a similar format
for entering data.

Relevant article under the

GDPR: Article 20

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 13

 HOW CAN I EXERCISE MY RIGHTS?

You can exercise all the rights mentioned above by sending an email to any company,
government body, or organisation that holds data about you.

Most entities have a dedicated The email could be as simple as follows:

email address that you can use to
exercise your rights which can be
found in the terms of service or Dear xxx,

privacy policies that are required Pursuant to the EU General Data Protection Regu-
to be available online. We know lation, I would like to exercise my right to withdraw
these policies are typically long consent to the processing of my data / right of access /
(although this should improve right to erasure / right to object to the processing of my
data / right to rectification / right to restrict processing /
under the GDPR). However, we right to an explanation / right to portability, linked to my
encourage you to take a look and name and/or email address.
search for a contact address. If
I look forward to hearing back from you.
you cannot find contact informa-
tion, that conflicts with your right Best regards,
to information and you can bring xxx
this matter to a data protection
authority (see next point).

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 14

 HOW CAN I EXERCISE MY RIGHTS?

Below are some examples of points of contact provided by companies for you to
exercise your rights. We are giving examples from different industries, not just the
technology industry, since the GDPR applies to any entity collecting data about you.

For Thalys, contact the company data protection For the Belgian Passenger Information Unit,
officer at [email protected] which collects, uses, and retains data for five
years when a traveler enters the country by
For Eurosport, contact the platform data protec- plane, boat, train, or bus, you can contact the
tion officer at [email protected] data protection office at [email protected] or
DPO - Leuvenseweg 1, 1000 Brussels.
For Zalando, you can find a specific contact
information based on your spoken language in Google allows you to exercise some of your rights
Chapter 13 of the company’s privacy statement: through its privacy policies: https://policies.
https://www.zalando.be/zalando-privacy-state- google.com/privacy?hl=en&gl=be#infochoices
ment/#chapter-13 and you can also send an email to Google’s data
protection office via this form: https://support.
For British Airways, you can request a copy of google.com/policies/contact/general_priva-
your data at [email protected]. You can also verify and cy_form. We also encourage you to take a few
modify the way that British Airways uses your minutes to review and adjust controls for how
data at: https://www.britishairways.com/travel/ and when Google can use your information, both
permissionscentre/public/ for your account https://myaccount.google.com/
privacycheckup and specifically for the use of
For Palantir, send an email to data-subject-re- ads https://adssettings.google.com/authenticat-
[email protected] ed?hl=en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 15

 WHAT CAN I DO IF MY RIGHTS HAVE
BEEN VIOLATED OR MY DATA MISUSED?

You can exercise all the rights mentioned above at any point in time. If you think your
data protection rights or other related privacy rights have been breached, you can
take legal action, which has been made easier under the GDPR:

You can file a complaint with the data protection authority (DPA) of the EU
country where you are located. DPAs are independent public authorities that monitor,
supervise, and enforce the application of the GDPR. They are here for you. The DPA has
the obligation to inform you about the progress of any complaint three months after you
file it. If at any point you are dissatisfied with the response from the DPA handling your
complaint, you can bring the authority to court. The table below gives you information and
contact points for every DPA in the EU.

You can file a case in court against a company, a government body, or an organisation.
You can do this instead of, or in addition to, filing a complaint with your data protection
authority.

You have the right for a non-governmental organisation (NGO) to file a com-
plaint on your behalf if the NGO is legally established, its activities are protecting
individuals or the public interest, and the NGO has expertise in the area of data protection.
This avenue is important to empower you if your complaint or case is lengthy and complex.
Having the option of NGO representation opens more avenues for remedy, increasing the
chances that violation of your rights will not go unpunished.

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 16

 WHERE SHOULD I GO IF MY RIGHTS HAVE
BEEN VIOLATED OR MY DATA MISUSED?

Austria Cyprus
Österreichische Datenschutzbehörde Commissioner for Personal Data Protection
Hohenstaufengasse 3 1 Lasonos Street
1010 Wien 1082 Nicosia
! Tel. +43 1 531 15 202525 P.O. Box 23378, CY-1682 Nicosia
% [email protected] ! Tel. +357 22 818 456
> https://www.dsb.gv.at/ % [email protected]
> http://www.dataprotection.gov.cy/

Belgium
Commission de la protection de la vie privée Czech Republic
Rue de la Presse 35 The Office for Personal Data Protection
1000 Bruxelles Pplk. Sochora 27
! Tel. +32 2 274 48 00 170 00 Prague 7
% [email protected] ! Tel. +420 234 665 111
> https://www.privacycommission.be/ % [email protected]
> https://www.uoou.cz/

Bulgaria
Commission for Personal Data Protection Denmark
2, Prof. Tsvetan Lazarov blvd. Datatilsynet
Sofia 1592 Borgergade 28, 5
! Tel. +359 2 915 3523 1300 Copenhagen K
% [email protected] ! Tel. +45 33 1932 00
> https://www.cpdp.bg/ % [email protected]
> https://www.datatilsynet.dk/

Croatia
Croatian Personal Data Protection Agency Estonia
Martićeva 14 Estonian Data Protection Inspectorate
10000 Zagreb Väike-Ameerika 19
! Tel. +385 1 4609 000 10129 Tallinn
% [email protected] ! Tel. +372 6274 135
> http://www.azop.hr/ % [email protected]
> http://www.aki.ee/en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 17

 WHERE SHOULD I GO IF MY RIGHTS HAVE
BEEN VIOLATED OR MY DATA MISUSED?

Finland Hungary
Office of the Data Protection Ombudsman Data Protection Commissioner of Hungary
P.O. Box 315 Szilágyi Erzsébet fasor 22/C
FIN-00181 Helsinki H-1125 Budapest
! Tel. +358 10 3666 700 ! Tel. +36 1 3911 400
% [email protected] % [email protected]
> https://tietosuoja.fi/en/home > http://www.naih.hu/

France Ireland
Commission Nationale de l’Informatique et des Libertés Data Protection Commissioner
- CNIL Canal House - Station Road
8 rue Vivienne, CS 30223 Portarlington
F-75002 Paris, Cedex 02 Co. Laois
! Tel. +33 1 53 73 22 22 ! Tel. +353 57 868 4800
w https://www.cnil.fr/fr/plaintes % [email protected]
> https://www.cnil.fr/ > https://www.dataprotection.ie/

Germany (Federal) Italy

Die Bundesbeauftragte für den Datenschutz und die Garante per la protezione dei dati personali
Informationsfreiheit Piazza di Monte Citorio, 121
Husarenstraße 30 00186 Roma
53117 Bonn ! Tel. +39 06 69677 1
! Tel. +49 228 997799 0 % [email protected]
% [email protected] > https://www.garanteprivacy.it/
> https://www.bfdi.bund.de/

Latvia
Greece Data State Inspectorate
Hellenic Data Protection Authority Director: Ms Signe Plumina
Kifisias Av. 1-3, PC 11523 Blaumana str. 11/13-15
Ampelokipi Athens 1011 Riga
! Tel. +30 210 6475 600 ! Tel. +371 6722 3131
% [email protected] % [email protected]
> http://www.dpa.gr/ > http://www.dvi.gov.lv/

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 18

 WHERE SHOULD I GO IF MY RIGHTS HAVE
BEEN VIOLATED OR MY DATA MISUSED?

Lithuania Poland
State Data Protection The Bureau of the Inspector General for the Protection
Žygimantų str. 11-6a of Personal Data - GIODO
011042 Vilnius ul. Stawki 2
! Tel. +370 5 279 14 45 00-193 Warsaw
% [email protected] ! Tel. +48 22 53 10 440
> https://www.ada.lt/ % [email protected]
> https://giodo.gov.pl/

Luxembourg
Commission Nationale pour la Protection des Données Portugal
1, avenue du Rock’n’Roll Comissão Nacional de Protecção de Dados - CNPD
L-4361 Esch-sur-Alzette R. de São. Bento, 148-3°
! Tel. +352 2610 60 1 1200-821 Lisboa
% [email protected] ! Tel. +351 21 392 84 00
> https://cnpd.public.lu/ % [email protected]
> https://www.cnpd.pt/

Malta
Office of the Data Protection Commissioner Romania
2, Airways House The National Supervisory Authority for Personal Data
High Street, Sliema SLM 1549 Processing
! Tel. +356 2328 7100 B-dul Magheru 28-30
% [email protected] Sector 1, BUCUREŞTI
> http://www.dataprotection.gov.mt/ ! Tel. +40 21 252 5599
% [email protected]
> http://www.dataprotection.ro/
The Netherlands
Autoriteit Persoons Gegevens
Prins Clauslaan 60 Slovakia
P.O. Box 93374 Office for Personal Data Protection of the Slovak Republic
2509 AJ Den Haag/The Hague Hraničná 12
! Tel. +31 70 888 8500 820 07 Bratislava 27
% [email protected] ! Tel. + 421 2 32 31 32 14
> https://autoriteitpersoonsgegevens.nl/nl % [email protected]
> https://dataprotection.gov.sk/uoou/

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 19

 WHERE SHOULD I GO IF MY RIGHTS HAVE
BEEN VIOLATED OR MY DATA MISUSED?

Slovenia Sweden
Information Commissioner Datainspektionen
Zaloška 59 Drottninggatan 29
1000 Ljubljana 5th Floor
! Tel. +386 1 230 9730 Box 8114
% [email protected] 104 20 Stockholm
> https://www.ip-rs.si/ ! Tel. +46 8 657 6100
% [email protected]
> https://www.datainspektionen.se/
Spain
Agencia de Protección de Datos
C/Jorge Juan, 6 United Kingdom
28001 Madrid The Information Commissioner’s Office
! Tel. +34 91399 6200 Water Lane, Wycliffe House
% [email protected] Wilmslow - Cheshire SK9 5AF
> https://www.agpd.es/ ! Tel. +44 1625 545 745
% [email protected]
> https://ico.org.uk

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 20

 CONCLUSION
In the digital era, ensuring that your data are protected is essential. Misuse of data
can result in discriminatory decisions, violation of privacy rights, identity theft, fraud,
and more. This is why you must be in control of your information. The data protection
rights safeguarded under the GDPR and presented in this guide will help put you
back in control.

For far too long, data protection laws have been ignored because of weak
enforcement mechanisms. Now that the law has changed in the EU, we have a
responsibility to help make data protection a reality and hold the entities collecting,
using, and storing our data accountable for infringement of our rights. We invite you
to use this guide to start exercising your rights.

Additional resources
Want to know more about data protection and the GDPR? Here are some useful resources:

• European awareness campaign: the GDPR explained

https://gdprexplained.eu

• Access Now’s blog post on why data protection matters

https://www.accessnow.org/data-protection-matters-protect

• EDRi’s paper on data protection

https://edri.org/wp-content/uploads/2013/10/paper06_web_20130128.pdf

• European Commission’s tool on the GDPR - citizens’ guide

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en

A USER GUIDE TO DATA PROTECTION IN THE EUROPEAN UNION 21

Access Now defends and extends the digital rights of users at risk around
the world. By combining direct technical support, comprehensive policy
engagement, global advocacy, grassroots grantmaking, and convenings
such as RightsCon, we fight for human rights in the digital age.

For more information, please visit: https://www.accessnow.org

Contact: Estelle Massé | Senior Policy Analyst | [email protected]

This guide is an Access Now publication.

This work is licensed under a Creative Commons

Attribution 4.0 International License.
Access Now defends and extends the digital
rights of users at risk around the world.
By combining direct technical support,
comprehensive policy engagement, global
advocacy, grassroots grantmaking, and
convenings such as RightsCon, we fight for
human rights in the digital age.

https://www.accessnow.org