- Be informed about when companies are collecting their information.
- Access the information companies possess about them, via a “subject access request.” Companies must provide the requested information within one month and correct any inaccuracies.
- Have their information erased (this is known as “the right to be forgotten”).
- Ask for restrictions on the use of their data.
- Move or copy their data from one source to another (this is known as “data portability”).
- Object to how companies use their data, including for direct marketing and when companies make automated assumptions about what an individual might want to buy.
- Obtain clear and explicit customer consent for collection and use of their data for each type of processing done on the data. For example, one permission is required for sending e-mail marketing messages, another for sharing with third parties, and others for additional types of processing.
- Protect collected customer data. The protection requirements are similar to standards in place in the U.S.
- Notify the EU or other supervising authority within 72 hours of some data breaches. A breach must be reported if it involves “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” that can cause “risk to the rights and freedoms” of EU customers.
- Notify the individuals within the EU when a breach presents a “high risk” to basic property and privacy rights, such as when account passwords are compromised
Leave a Reply