The General Data Protection Regulation (GDPR), which entered into force on 25 May 2018, strengthens the rights of EU citizens regarding their personal data. All companies and associations from the 28 Member States, as well as those from non-EU countries that collect and process data from European residents (e.g. Google, Facebook or Amazon), are subject to this data protection law.
The GDPR is based on three main principles.
The site must clearly state why it collects your data, how it will be used, how long it will be kept and who will have access to it. All information should be written in an understandable format (concise, legible, written in simple vocabulary). Consent must be a positive act (not a default checkbox) that can be easily removed.
Each user has a right of access to his data (form, email address, letter…). It is now possible, for example, to download from Apple’s website all the data that the company holds on you. You can exercise a right to forget (photo or embarrassing information, for example), a right to erase (when leaving an e-commerce site…) and request a search engine referencing. As with mobile telephony, there is a right to portability: once your data has been recovered, you can transmit it to another site.
Each company is responsible not only for the data it collects but also for data transmitted to subcontractors. It must prove that it has put in place all the appropriate means to protect your data and think upstream about what is relevant to collect or not. In the event of a data breach (hacking, leak, etc.), the company concerned must notify you and the competent authorities within 72 hours.
In the event of failure to comply with these obligations, citizens may turn to the referring authority. The penalties incurred are quite heavy since they can go up to 20 million euros or 4% of turnover.
More on GDPR in this video: