Data & Privacy

You have the right to obtain a copy of all personal data a company holds about you under the GDPR, free of charge and within one month.

Yes, under the EU's Digital Markets Act and GDPR, you have the right to data portability — meaning you can request your personal data in a structured, commonly used, machine-readable format and transfer it to another platform.

You can lodge a complaint with your national data protection authority, request judicial remedy before a court, or seek compensation for damages caused by the inaccurate data.

No, processing without consent is not always illegal under GDPR — consent is just one of six lawful bases; others include contract necessity, legal obligation, vital interests, public task, or legitimate interests.

No, requiring users to accept all cookies to access a website is not valid consent under EU law because consent must be freely given, specific, informed, and unambiguous.

Under EU law, a company must tell you why they’re processing your data, what legal basis they rely on, who receives it, how long it’s kept, and your rights — all within one month of your request.

Yes, you can challenge a company's 'legitimate interests' claim under EU data protection law — they must conduct and disclose a balancing test, and you have the right to object at any time.

Constant location tracking by an app is generally not proportionate unless strictly necessary for a specific, legitimate purpose and users have given informed, granular consent.

Yes, under EU law, a company must notify you without undue delay if a data breach is likely to result in a high risk to your rights and freedoms.

A company can be fined up to €20 million or 4% of its global annual turnover — whichever is higher — for a serious GDPR violation.

The ePrivacy Directive (2002/58/EC), as implemented by national laws like the UK’s PECR or Germany’s TTDSG, prohibits sending marketing emails after a valid unsubscribe request.

You have the right to object to the sale of your personal data under the GDPR, and can demand erasure or restriction of processing from any data broker handling your information.

You have the right to object to your health data being shared with your insurance company without your explicit consent under EU law, and you can file a complaint with your national data protection authority.

You must file your GDPR complaint with the data protection authority (DPA) in the EU country where you live, work, or where the alleged violation occurred.

No, it is generally illegal for a company in the EU to transfer your personal data to the US without adequate safeguards, such as an adequacy decision, appropriate safeguards (e.g., SCCs), or a valid derogation.

Yes, you can sue a company in your home EU country for GDPR violations even if it’s based outside the EU, provided it offers goods/services to people in the EU or monitors their behaviour.

Yes, employers may monitor work emails in the EU, but only if it is lawful, necessary, transparent, and proportionate — and employees must be informed in advance.

Yes, appointing a Data Protection Officer (DPO) is mandatory if a company processes large-scale health data under the GDPR.

Yes, parental consent is generally required before a school in the EU can share a child's personal data with third parties, unless another lawful basis applies and the child is under 16.

Yes, you can challenge an automated loan decision under the GDPR if it produces legal effects or significantly affects you — you have the right to human review and an explanation.

Yes, under the GDPR, you have the right to object to profiling for direct marketing at any time—and the company must stop immediately.

No, using facial recognition on you without consent is generally illegal under GDPR unless the company can rely on another lawful basis and meets strict conditions for processing biometric data.

EU law strictly limits phone call interception by government agencies to what is necessary and proportionate for national security, subject to prior judicial authorisation and independent oversight.

Reusing your personal data between departments of a public authority is lawful only if it is compatible with the original purpose, has a legal basis under GDPR, and respects your rights — including transparency and objection.