Your GDPR Rights Explained in Plain Language

TL;DR: The General Data Protection Regulation (GDPR) gives you eight rights over your personal data: the right to access, correct, delete, port, restrict, object, withdraw consent, and avoid automated decisions. These rights apply to every company that processes your data, regardless of where the company is based, as long as you are in the EU or EEA. Companies must respond to your requests within 30 days. PrivacyFetch tracks which companies honor each right and how difficult they make the process.

What Are Your GDPR Rights?

The GDPR is the world's strongest data privacy law. It took effect on May 25, 2018, and it gives every person in the European Union and European Economic Area a set of legally enforceable rights over their personal data.

These rights apply to any company that processes your data -- whether that company is based in Berlin, San Francisco, or Singapore. If a company offers goods or services to people in the EU, or monitors the behavior of people in the EU, the GDPR applies.

There are eight core rights. Here is what each one means in plain language, with real examples of how to use them.

Right 1: The Right of Access (Article 15)

What it means: You have the right to ask any company whether they have your personal data, and if so, to receive a complete copy of it.

In plain language: You can ask any company: "What data do you have about me?" and they must answer truthfully and completely.

What you get:

• Confirmation of whether your data is being processed
• A copy of all personal data they hold about you
• Information about why they are processing it
• Who they have shared it with
• How long they plan to keep it
• Where the data came from (if they did not collect it directly from you)

Example: You submit an access request to a social media platform. They must provide you with a downloadable file containing your profile data, posts, messages, ad targeting categories, login history, and any data shared with third parties. They must also tell you which advertisers received your data and why.

How to exercise it: Send a written request to the company's data privacy contact (email or online form). You do not need to explain why. Companies must respond within 30 days.

PrivacyFetch insight: PrivacyFetch analyzes each company's privacy policy to identify the data access channels they offer -- online forms, dedicated privacy emails, or in-app request tools. Companies that make access requests easy score higher on the User Rights dimension. You can check any company's access request process in the PrivacyFetch directory.

Right 2: The Right to Rectification (Article 16)

What it means: You have the right to correct inaccurate personal data and complete incomplete data.

In plain language: If a company has wrong information about you, you can demand they fix it.

What it covers:

• Correcting factual errors (wrong name spelling, wrong address, wrong date of birth)
• Updating outdated information (old phone number, previous employer)
• Completing incomplete records (adding missing information that changes context)

Example: A data broker has your old address and lists you as living in a city you left five years ago. You submit a rectification request with your current address. They must update their records and notify any third parties they shared the incorrect data with.

How to exercise it: Contact the company with the specific data that is wrong and the correct information. They must make the correction within 30 days.

Common challenge: Companies sometimes delay rectification requests by claiming they need to "verify" the correction. Under the GDPR, the burden is on the company to prove the existing data is accurate, not on you to prove it is wrong.

Right 3: The Right to Erasure / Right to Be Forgotten (Article 17)

What it means: You can request that a company delete all of your personal data.

In plain language: You can tell any company: "Delete everything you have about me."

When it applies:

• The data is no longer needed for its original purpose
• You withdraw your consent (and consent was the legal basis for processing)
• You object to the processing and there is no overriding legitimate interest
• The data was processed unlawfully
• The data must be erased to comply with a legal obligation

When companies can refuse:

• The data is needed to comply with a legal obligation (tax records, for example)
• The data is necessary for the establishment, exercise, or defense of legal claims
• The data is needed for public health purposes
• The data serves archiving purposes in the public interest

Example: You request that a shopping website delete your account and all associated data. They must delete your profile, order history, payment information, and browsing data. They must also contact any third parties they shared your data with and request deletion there as well.

How to exercise it: Send a deletion request to the company's privacy contact. Be specific: state that you are requesting erasure under Article 17 of the GDPR and that you want all personal data deleted.

PrivacyFetch insight: PrivacyFetch rates companies on deletion difficulty. Companies that require phone calls, notarized letters, or multi-step verification processes score poorly. Companies that offer one-click deletion or simple online forms score well. Check any company's deletion process at privacyfetch.com/explore.

Right 4: The Right to Data Portability (Article 20)

What it means: You can request your data in a structured, machine-readable format and transfer it to another service.

In plain language: You can download your data from one company and take it to a competitor.

What you get:

• Your data in a common format (CSV, JSON, XML)
• The right to have data transmitted directly from one company to another (where technically feasible)

What it covers:

• Data you provided directly (profile information, uploads, messages)
• Data generated by your activity (usage logs, purchase history)
• Data the company observed about you (tracking data, behavioral data)

What it does not cover:

• Data the company inferred or derived (credit scores, risk assessments, ad categories)
• Data about other people contained in your records

Example: You want to switch from one music streaming service to another. You request portability of your playlists, listening history, and preferences in a machine-readable format. The old service must provide this data so you can import it into the new service.

How to exercise it: Request data portability specifically (not just an access request). Specify the format you want. If you want the data sent directly to another company, name that company in your request.

Right 5: The Right to Restrict Processing (Article 18)

What it means: You can ask a company to stop using your data while a dispute is resolved, without deleting it.

In plain language: You can tell a company: "Keep my data, but stop doing anything with it."

When it applies:

• You are contesting the accuracy of the data (restriction applies while the company verifies)
• The processing is unlawful but you do not want deletion -- just restriction
• The company no longer needs the data, but you need it for legal claims
• You have objected to processing (restriction applies while the company considers your objection)

Example: You dispute the accuracy of data a company holds about you. While they verify whether the data is correct, they must stop using it for any purpose -- no advertising, no profiling, no sharing. They can only store it.

How to exercise it: Send a request specifying that you are invoking Article 18 and explain which of the four grounds applies.

Right 6: The Right to Object (Article 21)

What it means: You can object to the processing of your personal data for specific purposes, and the company must stop unless they can demonstrate compelling legitimate grounds.

In plain language: You can tell a company: "Stop using my data for this purpose."

Two categories:

Objection to Direct Marketing

This is absolute. If you object to your data being used for direct marketing, the company must stop immediately. No exceptions. No balancing test. No "compelling grounds."

Objection to Legitimate Interest Processing

If a company processes your data based on "legitimate interest" (rather than consent), you can object. The company must then stop processing unless it can prove compelling grounds that override your interests.

Example: A company uses your purchase history to send personalized marketing emails. You object. They must immediately stop using your data for marketing. They can still process your data for other purposes (like fulfilling orders you have already placed).

How to exercise it: State clearly that you are objecting under Article 21. For direct marketing, no reason is required. For legitimate interest processing, explain your specific situation.

Right 7: The Right to Withdraw Consent (Article 7)

What it means: If you gave consent for a company to process your data, you can take that consent back at any time.

In plain language: If you said "yes" before, you can say "no" now.

Key principles:

• Withdrawing consent must be as easy as giving it. If consent was one click, withdrawal must be one click.
• Withdrawal does not affect the lawfulness of processing that happened before withdrawal
• The company must stop processing your data for the consented purpose going forward
• The company cannot make the service conditional on consent for unnecessary processing

Example: You consented to a website using cookies for advertising purposes. You withdraw consent. The website must stop placing advertising cookies on your browser and stop using previously collected cookie data for ad targeting going forward.

How to exercise it: Most websites provide cookie preference centers or privacy settings. For other consent-based processing, contact the company directly.

Common problem: Many companies make consent easy (a big green "Accept All" button) but withdrawal difficult (buried in settings, requiring multiple clicks). This violates the GDPR requirement that withdrawal must be as easy as giving consent. PrivacyFetch flags this asymmetry in its analysis.

Right 8: The Right Not to Be Subject to Automated Decision-Making (Article 22)

What it means: You have the right not to be subject to decisions made entirely by algorithms if those decisions have legal or significant effects on you.

In plain language: A computer cannot make important decisions about you without human involvement.

What counts as "significant effects":

• Automated credit decisions (loan approval or denial)
• Automated job application screening
• Algorithmic insurance pricing
• Automated government benefit decisions
• Algorithmic content moderation that restricts your account

What does not count:

• Personalized product recommendations
• Algorithmic content feeds
• Spam filtering

Your rights when automated decisions are made:

• The right to obtain human intervention
• The right to express your point of view
• The right to contest the decision
• The right to an explanation of the logic involved

Example: A bank uses an algorithm to automatically deny your loan application. Under Article 22, you can demand that a human review the decision, explain what factors the algorithm considered, and give you an opportunity to contest it.

How to Exercise Your GDPR Rights: Step by Step

1. Identify the company's privacy contact -- Look for a DPO (Data Protection Officer) email, privacy contact form, or privacy@company.com address. PrivacyFetch lists available contact channels for each company.

2. Write your request -- Be specific about which right you are exercising and cite the relevant GDPR article. Use clear, formal language.

3. Send the request -- Email is fine. Keep a copy and note the date.

4. Wait for a response -- Companies have 30 days to respond. They can extend this by 60 days for complex requests, but they must notify you of the extension within the first 30 days.

5. Escalate if needed -- If the company does not respond within 30 days or refuses your request without valid grounds, you can file a complaint with your national Data Protection Authority (DPA).

Template for a GDPR Access Request

Subject: Data Subject Access Request (GDPR Article 15)

To the Data Protection Officer,

I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation (GDPR).

Please provide me with:

1. Confirmation of whether you process my personal data
2. A copy of all personal data you hold about me
3. The purposes of the processing
4. The categories of third parties with whom my data has been shared
5. The retention period for each data category

My account details: [provide email, username, or other identifiers]

Please respond within 30 days as required by Article 12(3) of the GDPR.

Regards, [Your name]

How PrivacyFetch Tracks GDPR Compliance

PrivacyFetch analyzes each company's privacy policy to determine which GDPR rights they acknowledge and support. For each company, we track:

• Which rights are mentioned -- Does the policy reference all eight rights?
• Request channels available -- Online form, email, postal address, in-app tool
• Deletion difficulty -- How many steps are required to delete your data?
• Response history -- Do they respond within the 30-day deadline?
• Contact information -- DPO email, privacy team contact details

You can check any company's GDPR compliance at privacyfetch.com/explore.

Key Takeaways

• The GDPR gives you eight enforceable rights over your personal data
• These rights apply to any company processing EU residents' data, regardless of where the company is based
• The right to erasure ("right to be forgotten") lets you demand complete deletion of your data
• The right to object to direct marketing is absolute -- no exceptions
• Companies must respond to all requests within 30 days
• If a company ignores your request, file a complaint with your national Data Protection Authority
• PrivacyFetch tracks which companies honor each GDPR right and how easy they make the process

This analysis is based on PrivacyFetch's automated privacy policy analysis. Check any company's privacy score