Complete Guide to GDPR Rights

GDPR applies to: **EU Residents:** Anyone living in a European Union member state **EEA Residents:** Includes Iceland, Liechtenstein, and Norway **Swiss Residents:** Switzerland has similar laws through agreements **Extraterritorial Reach:** GDPR applies to companies worldwide that: - Offer goods/services to EU residents - Monitor the behavior of EU residents This means US companies like Google, Facebook, Amazon, and thousands of others must comply with GDPR requests from EU residents. Even if you're not in the EU, referencing GDPR in your requests can be effective—many companies apply GDPR standards globally. **Data Subject vs. Data Controller:** - **Data Subject:** You—the person whose data is being processed - **Data Controller:** The company that decides how to use your data - **Data Processor:** Third parties that handle data on behalf of the controller Your rights apply to any data controller holding your personal data.

The Right to Access gives you the right to obtain confirmation from a company about whether they're processing your personal data, and if so, to access that data and get specific information about it. **What You Can Request:** - Confirmation of whether your data is being processed - A copy of all personal data they hold about you - The purposes of processing - The categories of personal data involved - Who they share your data with (recipients or categories) - How long they will store your data - Your rights to rectify, erase, or object - The source of the data (if not collected from you directly) - Whether they use automated decision-making or profiling **Response Time:** Companies must respond within 30 days of receiving your request. This can be extended by two more months for complex requests. **Cost:** Requests must be free of charge, unless they're manifestly unfounded or excessive (particularly if repetitive). **Documentation Required:** Companies can ask for information to verify your identity, but cannot make the process excessively difficult.

The Right to Rectification gives you the right to have inaccurate personal data corrected without undue delay. **When to Use This Right:** - Your name is spelled wrong - Your address is outdated - Your contact information is incorrect - Other personal details are wrong - Your data is incomplete **How to Make a Request:** 1. Identify the specific data that is inaccurate 2. Provide the correct information 3. Submit your request to the company's data protection officer or privacy contact 4. Reference Article 16 of GDPR **Timeline:** Companies must respond within 30 days. **What to Do If They Refuse:** - Ask for the specific reasons for refusal - Request written documentation of their decision - Appeal to the relevant data protection authority This right is particularly important for credit reporting, where inaccurate data can affect your ability to get loans, housing, or employment.

The Right to Erasure—often called the "Right to Be Forgotten"—gives you the right to request deletion of your personal data when certain conditions are met. **When You Can Request Erasure:** - Your data is no longer needed for its original purpose - You withdraw consent (and no other legal basis exists) - You object to processing (and no overriding legitimate interest exists) - Your data was processed unlawfully - Your data must be erased to comply with legal obligations - Your data was collected from a child (under 16) for information society services **Exceptions (When They Can Refuse):** - Exercising the right of freedom of expression and information - Legal obligation to keep the data - Public interest in the area of public health - Archiving purposes in the public interest - Legal claims (establishment, exercise, or defense) **Third-Party Deletions:** If a company has made your data public and is required to erase it, they must take "reasonable steps" to inform other controllers processing your data. **Response Time:** 30 days (extendable by 2 months for complex requests) This is one of the most powerful GDPR rights, but also one of the most commonly contested.

The Right to Restrict Processing allows you to limit how a company uses your data, even if they don't delete it entirely. **When You Can Request Restriction:** - You contest the accuracy of your data (restriction while verified) - Processing is unlawful but you don't want erasure - They no longer need the data but you need it for legal claims - You've objected to processing (while they verify their legitimate grounds) **What Restriction Means:** - They can store your data but not process it - They can process it only with your consent - They can process it for legal claims **Notification:** If restriction is lifted, they must inform you before processing resumes. This right is useful when you want to stop companies from using your data while preserving it for potential legal action or other purposes.

The Right to Data Portability gives you the right to receive your personal data in a structured, commonly used, machine-readable format, and the right to transmit that data to another controller without hindrance. **What This Means:** - You can get your data in a format you can actually use (like CSV or JSON) - You can move your data between services (e.g., switching from one cloud provider to another) - You can request direct transmission between services **When It Applies:** - When processing is based on consent OR contract - When processing is carried out by automated means **What Data Is Included:** - Data you provided to the controller - Data generated by observing your activity This right promotes competition between services by making it easier to switch providers. It's particularly relevant for social media, cloud storage, and fitness tracking services.

The Right to Object allows you to object to processing of your personal data in certain circumstances. **When You Can Object:** - Processing based on legitimate interest (including profiling) - Processing for direct marketing (always allowed to object) - Processing for scientific/historical research/statistical purposes **Direct Marketing:** You always have the absolute right to object to processing for direct marketing. Once you object, they must stop. **Legitimate Interest:** When objecting to processing based on legitimate interest, the company must stop processing unless they demonstrate: - Compelling legitimate grounds for processing - That their grounds override your interests, rights, and freedoms - That the processing is for legal claims **Automated Decision-Making:** You have the right not to be subject to solely automated decisions, including profiling, that produce legal effects or similarly significant effects. Exceptions exist if: - It's necessary for contract performance - It's authorized by law - It's based on explicit consent

GDPR gives you specific protections regarding automated decision-making and profiling. **What Is Automated Decision-Making?** - Credit decisions made without human review - Online pricing based on profiling - Job application screening algorithms - Content recommendation systems **Your Rights:** - The right not to be subject to solely automated decisions with legal or similarly significant effects - The right to human intervention - The right to express your point of view - The right to contest the decision **Exceptions:** These apply if the decision is: - Necessary for entering into/fulfilling a contract - Authorized by law with appropriate safeguards - Based on explicit consent When you're subject to automated decision-making, companies must provide: - Meaningful information about the logic involved - The significance and envisaged consequences - Measures taken to prevent errors, bias, and discrimination

**Subject: GDPR Data Access Request - [Your Name]** To: [Company Privacy Team/Data Protection Officer] Dear Sir/Madam, I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation (GDPR). I am a resident of [Your Country, if in EU/EEA] and request that you provide me with a complete copy of all personal data you hold about me. Please include the following information as required by Article 15: - Confirmation of whether my personal data is being processed - A copy of all my personal data in my account - The purposes of the processing - The categories of personal data concerned - The recipients or categories of recipients to whom my data has been disclosed - The retention period for storing my data or the criteria used to determine this period - Information about the source of my personal data, if not collected directly from me - The existence of automated decision-making, including profiling - My rights to rectification, erasure, restriction of processing, and to object I understand that under GDPR, you must respond to this request within 30 days of receipt. If you need additional information to verify my identity, please contact me at [Your Email Address] or [Phone Number]. Please send all information to: [Your Email Address] Sincerely, [Your Full Name] [Date of Birth, if applicable to verification] [Account Username/Email on file] [Date]

**Subject: GDPR Data Deletion Request - [Your Name]** To: [Company Privacy Team/Data Protection Officer] Dear Sir/Madam, I am writing to exercise my right to erasure under Article 17 of the General Data Protection Regulation (GDPR). I request that you delete all personal data you hold about me without undue delay, as I am entitled to this right because: [Select applicable grounds - keep relevant ones, delete others] ☐ The personal data are no longer necessary in relation to the purposes for which they were collected ☐ I withdraw my consent for the processing of my data [if applicable] ☐ I object to the processing of my personal data [if applicable, explain grounds] ☐ My personal data have been processed unlawfully ☐ You must erase my personal data to comply with a legal obligation ☐ My personal data were collected in relation to the offer of information society services to a child I understand that under GDPR, you must respond to this request within 30 days of receipt. If you cannot comply with my request for deletion, please provide a detailed explanation of the reasons why. If you need additional information to verify my identity, please contact me at [Your Email Address] or [Phone Number]. Please confirm deletion to: [Your Email Address] Sincerely, [Your Full Name] [Date of Birth, if applicable to verification] [Account Username/Email on file] [Date]

Companies may deny GDPR requests for legitimate reasons. Here's what to do: **Understand the Reason:** - Request specific details about why your request was denied - Ask which GDPR exception they're relying on - Request written documentation of their decision **Common Denial Reasons:** - Legal obligation to retain data (e.g., financial records) - Legitimate interest that overrides your rights - Data needed for legal claims - Public interest in continued processing **Your Options When Denied:** 1. **Submit a Complaint to a Data Protection Authority:** - In the EU: Contact your national DPA - In the UK: Information Commissioner's Office (ICO) - They will investigate and can issue fines 2. **Seek Judicial Remedy:** - You have the right to sue for damages - You can seek an injunction to stop processing 3. **Public Pressure:** - Some companies respond to public attention - Consider contacting consumer protection organizations - Media coverage can be effective **Documentation:** Always keep: - Copies of your original request - Their response (or lack thereof) - Timeline of communications - Reference numbers and case IDs This documentation is essential for any formal complaint or legal action.