EU citizens' rights under the EU GDPR

As a EU citizen you have several rights and we will discuss those entering the scope of the GDPR. Like you probably already imagine, most of it will be related to your personal data and its processing. We remind you that once you consent to have your personal data processed by an organization, you become a data subject. This does not diminish your EU citizens’ rights, if anything, it gives you more. We already discussed some of these rights under the chapter ‘Data subjects’. We will go a little more in depth on some of them, but we will also discuss other rights.

In short, the most basic and most discussed rights of individuals under the GDPR are the following: the right to be informed, to access their data, to rectification, to erasure, to restrict processing, to data portability, to object and to restrict automated decisions and profiling.

From the beginning, your first right as EU citizen is to refuse to become a data subject, that is, to refuse to have your personal data processed. However, it is unlikely many people will manage to stay completely off the grid, without any bank activity, official employment, phone, or more.

Once you’ve consented and became a data subject, you have the right to be informed about anything that happens with your personal data, what it is used for, you have the right to access it and to modify it and even to remove consent for a certain organization. At the same time, you have the right to access your personal data when you want.

Under the GDPR an individual has the right to restrict processing of personal data in various circumstances. For example, a data subject can restrict processing when they feel their personal data is not accurate. In this case they will be able to restrict the processing until the accuracy of their data has been verified. Another case when processing can be restricted is when a person objects to the processing.

You also have the right to data portability. Unless other contractual issues pre-exist (of which you should be informed of before you allow your data to be processed) then you can move your data from one provider to another in an easy and secure manner.

Another important right is the one to erasure (or the right to be forgotten). The general principle is that an individual has the right to request the deletion or removal of their personal data. This right is not absolute, meaning there are circumstances when data will not be erased at the request of the individual. For example, if the personal data is used to comply with a legal obligation, or for public health purposes, for scientific research or for the exercise or defense of legal claims, then the right to erasure can be denied for the individual.

This right is practically a safeguard against a potentially damaging decision that might be taken without human intervention. If the automated decision is based on explicit consent or is authorized by law then this right no longer applies. The GDPR defines profiling as any form of automated processing intended to evaluate personal aspects of an individual, such as their performance at work, their health, personal preferences, economic situation, location and more. If you do resort to profiling, you must be sure several safeguards are in place. For example, make sure you are using appropriate mathematical or statistical procedures, secure personal data, create measures that enable inaccuracies to be corrected and minimize the risk of errors. However, automated processing must never be applied for the data of a child.