Your Data Rights Under the EU GDPR

What the EU GDPR covers

The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, applies across all European Union member states. It governs how organisations handle personal data, meaning any information relating to an identified or identifiable living person. That can include your name, an email address, an online identifier, location data, or details about your health, finances, or activity.

The GDPR applies to organisations established in the EU, and also to organisations outside the EU that offer goods or services to people in the EU or monitor their behaviour there. In practice, that means many of the websites, apps, and services you use day to day fall within its scope, regardless of where the company is headquartered.

The regulation gives the person whose data is being handled, called the data subject, a set of rights. These rights are exercised against the organisation that decides how and why your data is used, known as the data controller. This article is general information, not legal advice.

The rights the GDPR gives you

The GDPR sets out several distinct rights over your own personal data. You do not need to give a reason to use most of them, and an organisation generally cannot charge you a fee for a straightforward request. It must usually respond within one month, though that period can be extended for complex requests.

Each right has its own conditions and limits. For example, the right to erasure does not apply if the organisation has a legal obligation to keep the data, and the right to portability applies mainly to data you provided based on consent or a contract. Knowing which right fits your situation helps you ask clearly.

• Right of access (Article 15): get a copy of your data and information about how it is used.
• Right to rectification (Article 16): have inaccurate or incomplete data corrected.
• Right to erasure (Article 17): ask for your data to be deleted in certain circumstances.
• Right to restriction (Article 18): ask the organisation to pause its use of your data.
• Right to data portability (Article 20): receive your data in a reusable format, or have it sent elsewhere.
• Right to object (Article 21): object to certain uses, including direct marketing.
• Rights around automated decisions (Article 22): not be subject to solely automated decisions with significant effects, in defined cases.

How to exercise your rights and who to contact

You start by contacting the organisation that holds your data, usually through a privacy or data protection contact listed in its privacy notice. Many larger organisations have a designated Data Protection Officer. You can ask in writing, state clearly which right you are using, and keep a dated record of what you sent.

If the organisation does not respond within the time limit, refuses without a valid reason, or handles your request poorly, you can lodge a complaint with a supervisory authority. Each EU member state has its own national data protection authority, for example the CNIL in France, the Datenschutzbehörde in Austria, or the Garante in Italy. You can generally complain to the authority in the country where you live, work, or where the issue occurred.

OSINTA is built to help you see your own digital footprint and prepare your own rights requests. The decisions stay with you, and OSINTA does not act against anyone else or remove data on your behalf. For the legal substance of any specific situation, consider speaking to a qualified adviser, since this article is general information, not legal advice.

Frequently asked questions

Related terms

• GDPR (General Data Protection Regulation)
• Data Subject Access Request (DSAR)
• Personal data
• Data protection regulator