Protecting personal data is more important than ever, as many digital business models rely on collecting personal information. You may have experienced your data being shared or processed without your consent. The good news: the General Data Protection Regulation (GDPR) provides numerous ways to fight back. While enforcement can sometimes seem challenging, the GDPR helps raise awareness about data protection among businesses and authorities. This article provides examples of how you can assert your rights.
Common Everyday Data Protection Issues
Here are some typical scenarios where data protection is violated, based on personal experiences:
- Unwanted publication of personal data: Platforms or social networks share your phone number or address without your consent, leaving your contact details exposed online.
- Unauthorized data collection: Tracking cookies or your IP address are stored for advertising purposes without your knowledge or consent.
- Negligent handling of sensitive data: Completed medical forms are left visible at the reception desk or behind the counter in a doctor’s office. Even worse, I’ve personally encountered situations where a doctor leaves the treatment room without locking their computer. In the 10 minutes they were gone, I could have accessed numerous confidential health records of their patients.
- Unsolicited contact: You receive calls from sales representatives or market research companies without giving consent. These unwanted interactions often stem from leaked phone numbers or email addresses.
Your Rights Under the GDPR
The GDPR gives you several tools to combat the misuse of your data:
- Right of Access (Art. 15): You can request information on what data has been stored about you.
- Right to Erasure (Art. 17): You can request the deletion of your data (“Right to be Forgotten”).
- Right to Rectification (Art. 16): Incorrect data must be corrected upon your request.
- Right to Restrict Processing (Art. 18): You can specify that your data is processed only under certain conditions.
- Right to Information (Art. 13, 14): Companies must inform you why and how your data is being processed.
- Right to Object (Art. 21): You can object to the processing of your data.
- Right to Compensation (Art. 82): In case of violations, you can claim damages for material or immaterial harm.
Now you’re probably wondering, okay, I theoretically have all these rights under the GDPR, but how can I practically protect my data?
Practical Steps to Protect Your Data
Think carefully about the information you share, as not all information they ask you to share, is acctually required to use a service. Consider using creative strategies such as:
- Providing minimal or false information: Share your phone number only if absolutely required. A “burner” number (a temporary number) can help avoid spam.
- Using “burner” data: Use a separate number for contacts or requests that you can easily replace. For example, I never share my primary number unless absolutely necessary. Instead, I use a “burner” number, which I change at least once a year for services like contractors. Friends and family have my main number via eSIM. This way, I always have two numbers, one of which can be shared more freely.
Act Friendly but Firm
If you notice careless handling of your data (e.g., at a doctor’s office), politely bring it to the person’s attention. Remaining friendly but assertive often encourages compliance with your request for better care. While data should not be handled negligently in the first place, being confrontational might provoke defensive responses like, “All my customers are trustworthy; I have the right to read your phone number aloud in my store.” Staying polite increases the chances of achieving insight and change.
Block Unwanted Contact
If you receive unwanted calls or messages, clearly state that you do not consent to the use or processing of your data. If you know the company’s address, request the deletion of your data in writing and ask for confirmation. Every company of a certain size is required to have a data protection officer you can contact. For smaller companies, contact information in their legal notice (imprint) is typically sufficient to send your written request.
This approach works for reputable companies. For outright spammers, often operating from abroad, your best options are blocking, not responding, and periodically changing your phone number and email address.
Reporting to Authorities and Taking Legal Action
If a company fails to respond, report the incident to the relevant data protection authority. In Germany, these authorities operate at the state level (depending on where you live). Many of them provide online forms to simplify the reporting process. Notify the company beforehand, set a deadline, and inform them of your intent to report the issue.
If all else fails, legal action is an option. Consumer protection agencies can assist, especially if multiple people are affected. Suing is a last resort and involves weighing the costs against the potential benefits.
Opt for Privacy-Friendly Businesses
Choose to work with companies that prioritize data protection, have clear points of contact, and respond to your requests. If a company disregards your rights, report them to the data protection authority and avoid dealing with them in the future.
Conclusion
Data protection violations can be frustrating and concerning, but you’re not powerless. Exercise your rights, document violations, and proceed step by step. Sometimes, just the threat of reporting a violation is enough to resolve the issue. Stay patient, persistent, and choose businesses that take data protection seriously.
Checklist:
- Share only essential information and use temporary phone numbers or email addresses if needed.
- Politely but firmly point out data protection issues and request corrections.
- Request deletion of your data and contact the company’s data protection officer for unsolicited contact.
- Block untrustworthy contacts and regularly update your phone number or email address.
- For severe cases, report violations to your state’s data protection authority and consider legal action if necessary.