Friday the 25th of May 2018 will probably go over in digital history as a day to remember, as it marks the day the General Data Protection (GDPR) kicked in, unlocking a whole new standard for what to do—and more importantly not to do—with the personal data of European Union citizens. The GDPR is predicted to be the spark that lights a new data protection mindset with both consumers and businesses—and not just in the EU, but globally.
Up until this date, a lot of the information about the GDPR has been aimed at enterprises, guiding them to compliance. But really, the regulation is largely created with the aim of serving individuals. So, in this blog post we’ll fill you in on what the regulation means for you as a European Union consumer (we’ll cover what it means for non-EU citizens further down the text). What exactly can you expect of companies and organisations in a post-GDPR world? Read on, and find out. Perhaps organisations can even learn a thing or two from this post.
Let’s start with an overview of your new rights and then dive into the details of each before we move on to a few FAQs (Frequently Asked Questions) and their answers.
1. Consent privileges
2. Right to more (transparent) information
3. Data ownership rights
Right to be forgotten (right to erasure)
Right to access
Right to data portability
Right to rectification
Right to object
Right to restriction of processing
4. Right to data breach information
“Do you want to continue hearing from us? Then we need your consent.” Maybe your inbox has had quite a lot of emails with similar wording lately? That is due to the consent requirements of the GDPR that states that organisations can only process data of a person in specific cases (e.g., if it is necessary for an organisation’s compliance with a legal obligation or in order to protect the vital interests of an individual or—and this will be the default situation in most cases—if a person “has given consent to the processing of his or her personal data for one or more specific purposes”).
In most cases, this means that you have to give your acceptance before an organisation can market directly to you. And, not just any acceptance, but a purpose-specific acceptance. Pre-GDPR, very few companies—in fact I know none—practiced purpose-specific consent, but post-GDPR that is the new norm. If the purposes of the processing activity change after your consent is obtained or an organisation wants to use your data for an additional purpose, new and specific consent from you is required.
The GDPR defines consent as the following: “Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In other words, your consent has to be given “freely,” and you have to perform a “clear affirmative action.” But, what does that mean?
French law firm Mathias Avocats gives a splendid example of a situation where consent is not given freely: “For example, if a mobile app for photo editing requires users to have their GPS location activated for the use of its services, consent cannot be considered as freely given for the processing of the GPS data. Indeed, the users cannot refuse to activate their GPS location (or they won’t be able to use the app), and the latter is not necessary for photo editing.”
If your consent is to be considered valid, you need to have given it of your own free will, not as a bundled up, non-negotiable part of terms and conditions of a contract or a service. Furthermore, the physical text where it is written that you give your consent must be distinguishable from other text. If not, your consent is not binding. The GDPR says about this:
“If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
An “affirmative action” on the other hand, means that YOU have to do something (e.g., tick a box that says: “I consent.”). The box can’t be pre-ticked if your consent is to be considered valid.
Post-GDPR you have the right to withdraw your consent at any time. According to the GDPR, it shall be as easy to withdraw as to give consent.
You always have the right to request seeing what you have consented to. It is the responsibility of the organisation to demonstrate towards you—and authorities for that matter—that they have your consent to the processing of your personal data.
In a post-GDPR world, the communication you receive from an organisation about your data will both be more clear and written in a language you can actually understand, and you can also expect much more of it. According to the GDPR’s Article 12, organisations need to provide any information relating to data processing in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”
This means you need to be able to understand exactly what is going to be happening to your data. You have the right to receive this information in writing, but you actually also have the right to receive it orally, if you can prove your identity. If you’re having problems deciphering any data-related information, you can contact the organisation or its data accountable, who’s contact information also needs to be provided to you.
At the time when your personal data is being collected, for instance when you sign up for a new newsletter, you will have the right to receive following information, according to the GDPR’s Article 13:
If an organisation later wants to use your data for a purpose other than the one already communicated to you when your data was collected, it needs to provide information to you about the new purpose and again—for how long it expects to keep your data.
In a pre-GDPR world, once you handed over your data to a company, the company basically owned your data. In a post-GDPR world, YOU own your data. You’re merely lending it to organisations in order to help them know you better and service you better.
In a post-GDPR world you now have several rights relating to your data:
You have the right to have your personal data removed and deleted completely from an organisation’s database if, for example:
There are very few exceptions to this right, such as if your data has been collected for legal or scientific reasons. The burden of proving this, and thus refusing to erase your data, is with the organisation.
This right means that you have the right to know what is happening to your data, and what type of data an organisation holds on you. The GDPR says:
“The data subject (i.e., you) shall have the right to obtain from the controller (i.e., an organisation processing your data) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data(…).”
Per "the right to access," you can ask to know what the purpose of your data processing is, who has access to it (e.g., third parties) and how long it is expected to be kept. Furthermore, you have the right to receive a copy of the personal data undergoing processing.
You have the right to transfer your personal data directly from one organisation to another. The GDPR says about this right:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
This could prove relevant for you, when you are to, for example, receive products or services from an organisation related to the one that holds your personal data. For instance, you can ask your energy company to transfer your data to a solar roof company, before getting an offer from the latter. Or, if you are unsatisfied with an organisation, you can even ask of it that it transfers your personal data to a competitor, and then erases all your data.
You have the right to have your personal data modified, for instance correcting inaccurate personal data and have incomplete personal data completed. You can ask an organisation to do so either in writing or orally.
You have the right to object to the use of your personal data for specific purposes, such as profiling, and the organisation processing it then needs to stop it, unless the processing is “necessary for the performance of a task carried out for reasons of public interest.”
The right to restrict processing basically means you can ask a company not to use your information, only to store it. The European Commission gives a good example where this right can come in handy for you:
“A new bank on the domestic market offers good home loan deals. You are buying a new house and so decide to switch banks. You ask the ‘old’ bank to close down all accounts and request to have all your personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store your data, but you can still ask for restriction of the data to make sure that it’s not accidentally used for unwanted purposes.”
In a post-GDPR world you have certain rights when it comes to data breaches involving your personal data. But first, what does the GDPR constitute as a "personal data breach?" It is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
If your personal data is involved in a data breach that is likely to result in a high risk to your rights and freedom, the organisation responsible for processing your data needs to communicate in a clear and plain language the data breach to you without undue delay, including communication about:
There are, however, exceptions where an organisation is not legally required to communicate a data breach to you (e.g., if it has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach or if the communication would involve “disproportionate” effort). In an example as the latter, the organisation is instead required to do a public communication or similar communication whereby you and others are informed in an equally effective manner about the data breach.
Now we’ve covered the basics of what you can expect in a post-GDPR world. But wait, there’s more! Here’s some of the most Frequently Asked Questions from a consumer perspective—and of course their answers.
According to the GDPR, an organisation needs to react to your request as soon as possible and in any event within one month of your request. Depending on the complexity and number of your requests, the organisation has the right to extend with two further months, but in that case, needs to inform you about it, including the reason for the delay.
If an organisation decides not to take action on your request, it needs to inform you about it without delay and at the latest within one month of your request, including the reasons for not taking action and informing you about the possibility of leaving a complaint with your regional Supervisory Authority.
It depends on the character of the violation. If you for instance experience direct marketing from an organisation that you haven’t given consent to (or don’t recall that you have) you can start using your data rights, e.g. the right to access in order to be informed about what data the organisation holds on you and with what purpose.
If you feel that your personal data aren’t safe or you don't wish to receive communication from a particular organisation, you can always use your right to be forgotten.
If you experience a severe personal data violation or an organisation just won’t respond to your requests, you need to reach out to the Supervisory Authority in your region to leave a formal complaint.
“Maybe” would probably be the most correct answer in this point of time. The GDPR does say: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
However, it is very difficult to predict at this stage as courts have not yet considered any compensation claims brought under the GDPR.
Until a certain degree, no. However: “Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.”
The organisation however needs to demonstrate the “manifestly unfounded or excessive” character of a request.
In principle you only have your regional data protection regulations. However, you can expect that international organisations will follow GDPR’s lead and offer the same personal data "services" to you as to any EU citizen. However, you do not have the legal basis to demand those rights. It is expected, though, that the GDPR will raise data protection standards globally, as other regions will most likely follow in the European Commission’s footsteps.
So, there you have it. GDPR for consumers in a nutshell. We hope you are now equipped to take back the ownership of your personal data. Maybe you’re going to start withdrawing consents right now. Or maybe you’re never going to use any of your new rights. Either way, you can be sure that your personal data is better taken care of after May 25, 2018, than it was before.