The General Data Protection Regulation (GDPR) grants EU citizens certain data rightsâcreating options for controlling personal data and offering recourse if data is processed unlawfully.
Users have the right to know when and where their data is being collected, how it will be used, whether it will be shared with third parties, and how long it will be stored. Organizations must provide this information openly and in plain language.
Data subjects have the right to request access to any personal data that an organization may hold. Once the request is received, organizations must respond within 30 days.
Data subjects can request corrections to their personal data if they discover it's inaccurate or incomplete.
EU citizens may request that an organization delete their personal data, which is why the right to be forgotten is sometimes referred to as the right to erasure. Data controllers may refuse erasure requests, but only if thereâs a legitimate reason to keep the data, such as an open line of credit.
Data subjects can request limitations or changes to the way their personal data is processed by an organization.
EU citizens must be able to easily move personal data between services, which means data controllers must be able to give users their data in an easily transmittable format.
Users can challenge an organizationâs purpose of processing, in which case the organization must make a good case for why their purposes are legitimate.
Data subjects can ask for a review of decisions made through automated processes.
Additional resources