The GDPR stipulates three essential rights that people have when their personal data is collected:
Under European law, personal data must in principle be regarded as the property of an individual. In practice, this means that the collection, storage, processing, and forwarding of data is only permitted with the express and active consent of the person in question. An implicit recognition of the data protection practice of an online service is therefore not sufficient. A so-called coupling is also not allowed, in which a company or an authority only releases certain services against consent and leaves the user no free choice.
Under Article 15 of the GDPR, people also have a right of access to the companies and authorities to which they provide their personal data. The Information Commissioner’s Office in the UK offers a short, informal sample letter, which can be easily adapted and supplemented with any extra information you want to supply. The following questions are useful to get a good overview of the extent and procedure of data storage:
- Which data is stored about my person?
- Where is this data stored?
- How was this data collected?
- For what purpose were they stored?
- To whom was my data passed on?
Although companies and authorities are obliged by law to provide information, in some cases you have to reckon with unwillingness or even harassment if you want these questions answered. This is where persistence pays off: by invoking your rights, setting a tight deadline, and ultimately threatening to consult the responsible data protection authority, you finally get the certainty that you deserve. And if you do not agree with the way in which data is collected, information is incorrect or outdated, or has even been stored or passed on illegally, you can apply your last right: the right to correct, delete, and block data (Article 15(1e) GDPR).