back to blog list

All You Need To Know About GDPR

November 15, 2020 5 min read

The GDPR, or General Data Protection Regulation, is a series of laws and regulations adopted in May 2016 by the European Parliament and Council to enable European Union citizens to have better control over their data online. It has been in effect from 25 May 2018.

To all non-european readers, this article is mainly intended to europeans, but you can still read the first two parts to know more about GDPR. You're not directly affected by it, but this initiative has sparked other data protection laws like the Consumer Privacy Act in California.

What is GDPR ?

The intent of GDPR was to gives european citizens more control over what data about them is stored and for how long.

That way, european citizens are legally backed up by the EU in terms of data protection and people or organisations who use digital services are obliged to state what data they keep about you and what they do with it.

The other great point about GDPR is that it applies to everyone operating in the EU, so european citizens aren't only protected on websites but also at work or even on the streets !

But it's also enforceable for companies and corporations.

What it has already done

Over the 4 and a half years since it has been acted, it has enabled several Courts of Justice within the EU to deliver some, sometimes very expensive, fines to tech companies, but not only.

You can't really draw up a typical profile for people who received the 410 fines given out so far. Some were given to companies, others to individuals, political parties, restaurants, universities, airports, institutes...

Recently, H&M got fined 35,258,707.95€ in Germany for tracking its employees, and British Airways got fined 22,000,000€ for being hacked as British Information Commissioner ICO said this hack was preventable. The Dutch National Credit Register BKR was also fined 830,000€ by the Dutch Data Protection Authority for making their customers pay to access their private information. Even an individual person was hit by an 8,000€ fine for having CCTV cameras monitoring public space in Greece.

The largest fine given so far was by French Data Protection Authority CNIL to Google, who had to pay 50,000,000€. The smallest was given by the Estonian Data Protection Authority to a police officer in Estonia, who was fined 48€.

Although not directly linked to GDPR, the EU also fined Google 1,490,000,000€ as part of its war on GAFAM.

How to use your rights

These laws also directly give you some power over your data.

Your rights are :

  • The right to request reading and retrieval of your data
  • The right to request rectification of your data
  • The right to request deletion of all or part of your data

In short, GDPR theoretically gives you complete access and control over your personal data. But sadly, reality is a little more complex, as some website and services use what are called 'dark patterns' to try and discourage you from using your rights.

Concretely, they offer these options (because they are legally obliged to) but hide them in lots of different sub-menus and complicated access paths to make it as hard as possible to use them. And that isn't illegal.

Still, we're not going to go into much detail about that problem in this article, so let's move on to how to use your rights.

To help you use your rights, many websites have been created. Here are a useful links :

  • With JustDeleteMe, you can find information on how easy it is to delete your account on many websites, but also details and links to help you do so.
  • You can download all the data from your Google account with help from this Google help page.
    Before you do so, you should know that this procedure will download everything you have ever saved with Google services, so if you've had your account for a long time the file will be very big, and you will need a lot of time ahead of you to read everything !
  • You can download all the data from your Facebook account with help from this article from FossBytes. As for Google this will download everything, so if you use social media a lot — not only posts, but also comments, likes, conversations... — the file will be big.

For other online services or companies which don't directly offer a retrieval or deletion option from their website, you can email them asking to do so. You can find help for writing this letter on the ICO's website .

They should answer favourably to your request, but if they don't reply after several enquiries or refuse to comply with your request, you are entitled to start a legal challenge against them. You should only go that far if the data is very sensitive or if the company isn't too big, as that kind of procedure is often very long and costly.

Alternatively, you get in touch with a consumer association. They can usually talk with companies more easily than individuals, or group together the requests of several people to have more weight against larger companies.



External resources : GDPR Information from the European Commission website , Every GDPR fine since 2018, What counts as personal data ?

GDPR Thoughts
MidnightFlag CTF Write-Up Will the big wheel

Caught a mistake or want to contribute to this blog post? Edit this page on GitHub!