What is GDPR?

GDPR stands for General Data Protection Regulation and is a common law across the EU. It was introduced in 2018 to give you as a citizen control over your own personal information – data that can be used to identify you as a person.

GDPR means that companies and authorities cannot just do whatever they want with your data. They must know why and how they process your information – and they must be able to document it.

The law applies whether your information is stored digitally, on paper or in a database far away.

Why was GDPR introduced?

In a time where we all move online and leave traces everywhere – when we shop, search, chat or use apps – our data becomes a valuable resource. For some companies data means money. For you it is a matter of privacy and security.

Previously personal data was often used without clear consent. Many had no idea what was stored about them – or how it was used. GDPR changed that by:

  • Requiring clear communication and consent
  • Giving citizens concrete rights
  • Introducing strict requirements for security and documentation

With GDPR, privacy became not just an ethical responsibility but a legal requirement.

GDPR1

What are personal data?

Personal data are any pieces of information that can be used to identify you – directly or indirectly.

It could be for example:

  • Name, address, phone number
  • Email address or IP address
  • Social security number
  • Pictures or voice
  • Geolocation
  • Health information or lifestyle
  • Information about family, work, interests or behaviour

GDPR protects both ordinary and sensitive information. The more sensitive – the stricter the rules.

Many believe they “have nothing to hide”. But GDPR is not about hiding – it's about protecting your right to decide over your own information.

GDPR2

What are your rights?

As a citizen you have a number of rights under GDPR that give you control over what others may do with your information:

  • Right of access: You can find out what information an organisation has about you.
  • Right to erasure: You can demand your data be deleted if there is no good reason to keep it.
  • Right to rectification: You are entitled to have incorrect information corrected.
  • Right to data portability: You can receive your information in a readable format.
  • Right to object: You can say no to certain kinds of use – e.g. marketing.
  • Right to restrict processing: You can have your data “put on hold” in certain cases.

You also have the right to withdraw your consent if it was based on an earlier yes.

What must businesses and authorities do?

Everyone who processes personal data has a responsibility to protect your information – whether it is a big company, a municipality or a local association.

They must:

  • Inform you clearly and understandably
  • Collect as little as possible
  • Store securely and protect against misuse
  • Delete data when it is no longer necessary
  • Show that they comply with the rules and have security under control

Breaches of these rules can lead to large fines – and in some cases the organisation is obligated to inform you if your information is leaked.

What is consent – and when is it required?

Consent is your voluntary permission for a company to use your information. But a hidden checkbox or vague text at the bottom of the page is not enough.

A valid consent must be:

  • Voluntary – you must not be forced
  • Clear – you must understand what you are saying yes to
  • Specific – it must not be too broad
  • Informed – you must know how your information is used
  • Revocable – you must be able to change your mind easily

A good rule: If you don't understand what you are consenting to – then don't accept it.

GDPR3

What do you do if someone breaks the rules?

If you experience that your rights are violated – for example your information is used without consent, not deleted, or shared without permission – you have several options:

  1. Start by contacting the organisation directly.
  2. If you do not get an answer – or are not satisfied – you can complain to the Data Protection Authority.
  3. You can also seek help from a legal adviser if the case is serious.

Many problems can be solved with a friendly but firm inquiry. But the law is on your side.

Disclaimer

This page is made to give you an easy-to-understand overview of GDPR and your rights as a citizen. The information is not legal advice and should not be used as a substitute for professional guidance in specific cases. In case of doubt it is recommended to contact the Data Protection Authority or reach out to the team behind ClickandCry here.