This post came to be through a request whereas people are asking; What do my rights as a citizen under GDPR really mean in day to day life? Hence this post will present you with practical examples of scenarios where the average citizen could benefit from the regulations imposed by GDPR. You can consider this a continuation of my earlier post; What does GDPR mean for regular citizens?
This post is split between the different rights with several scenarios or examples of how and when you might want to exercise that right. For those of you techies or very much in the know about GDPR, this post may not be for you.
The right to know
In our day to day lives we interact with companies offering services or goods all the time. More often than not, these companies would have some personal details about us. Given that not all companies are tech companies with a profile page which you can visit upon login to check what information they have about you, this right might come in handy.
Purchasing furniture – The store will have your address, your delivery address, the size of the room, your name, surname, email, phone, mobile, payment details, preferred delivery hours, and possibly some information about your likes and dislikes and other information gathered by the designer. I have yet to see a furniture store provide me with an online portal with access to such data. As a European citizen, I have every right to know what data they are keeping about me. Once the furniture in question has been delivered and the guarantee elapsed, having that information in hand, may prompt me to make use of my right to be forgotten.
Supermarket/Store loyalty cards – Once again they have a set of your information on their system. What they may also have unbeknownst to you is your shopping preferences. Do they link to what items you purchased, how often etc…? Are they doing any sort of profiling based of the data? You have the right to know.
Schools/Educational institutions – Your name, surname, address, emergency contact information, your child’s details, any siblings, child’s medical/special conditions, your civil status, where you work, your contact at work, email, identification number, your child’s grades, scores, behaviour, attendance, religious preferences etc.. Once again I haven’t yet come across a school that provides you with access to all this information, yet with GDPR, you have a right to it.
Insurance companies – your name, surname, contact information, address, email, vehicles you own, properties you own, history of any traffic accidents, history of previous claims etc…. Do they provide you with automatic access to this information? Usually no, but you have a right to it.
The right to access
Just knowing what data a company is holding about me is not enough. As a citizen I actually have a right to see that data. This is to prevent companies saying, we have your name, surname, email etc… You actually have a right to see a document or file saying Name: Joe, Surname: Bloggs, email: email@example.com etc….
The right to be forgotten
Once you know what information a company is holding about you, you may decide to exercise your right to be forgotten.
In the case of companies that need to keep a subset of the data for other regulatory purposes you may instead request limitation of processing. This means that they can keep the data for audit and regulation purpose but cannot use it for anything else.
It would be my personal recommendation to request your right to be forgotten from any service you are no longer using. This reduces the risk of your personal information being made public through a data breach and at the mercy of being abused by whomever comes across it.
Building up on the previous examples:
Purchasing furniture – The furniture has been delivered and installed and the guarantee has expired. What use does the furniture company have for all that personal data. Request your right to be forgotten. They may still keep a few records such as invoices for tax reasons under company law however your email, payment details, mobile etc…. are no longer relevant.
Loyalty cards – If you are no longer using the loyalty card, stop the service and request your right to be forgotten. They have absolutely no grounds to keep your data for any further processing.
Schools/Educational institutions – Once you or your child is no longer in school request your right to be forgotten. Keep in mind that educational institutions will not be in a position to delete all the data as they are bound by other laws to keep grades, scores, attendance and such records for a number of years. However a lot of data/information can be deleted. If you or your child are no longer attending the school, the religious preferences, your civil status and work details just to mention a few are perfect examples of information that can be deleted.
Insurance Companies – Once again, depending on the information they are holding, there is a subset of data the companies no longer need to keep by law if you are no longer insured with them.
The right for data portability
This right was created to enforce and drive the following fact home. The data subject i.e. the citizen is the owner of the data. My personal information is my property and not the company’s property. This point apart though what are the tangible benefits for the citizen?
Here are some practical examples:
Heart Rate Monitor
Let’s say that I have a smart watch that constantly monitors my heart beat and my blood pressure. This data is stored on an account in the cloud provided by the manufacturer of the smart watch. Let’s call them BananaTracker. This banana tracker application stores and tracks my data and provides me with charts and reports. This is obviously very personal and very sensitive data.
Now let’s assume that a new model by a different company, FitTracker came out. For one reason or another I want to start using FitTracker. On the other hand I do not want to loose all the medical history and trends I accumulated using BananaTracker and there is no practical way to insert this information manually into the new application.
As a European citizen under GDPR, I have every right to request BananaTracker for a copy of my data in a format that FitTracker can easily import.
To step away from the digital format let’s consider the private doctor scenario. Now this may not apply in all countries, but here in Malta there isn’t one central system where your medical history is stored which can be accessed and updated by every doctor. So basically unless you go to the hospital every private GP you ever went to has their own file on you. Let’s assume this scenario. I live in town X and I’ve been very loyal to the GP (General Practitioner) in my town. Recently I relocated away to town Y. Consequently I needed a GP which is closer to home. Under GDPR I have every right to request my medical file and history from my old doctor to provide it to the new doctor.
Do you use a service from a company or an online software to manage your accounts. Do you want to change to a different service. You have a right to your data.
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.