data protection rules protect your personal data wherever it is collected — for example, when you make an online purchase, apply for a job or apply for a bank loan. These rules apply to both companies and organizations (public and private), established , which offer goods or services there , such as Facebook or Amazon, when they request or reuse the data. of a personal nature of EU citizens.

Regardless of the format of the data — online in a computer system or on paper in a structured record — where information directly or indirectly identifying you as an individual is stored or processed, your data protection rights must be respected.

When is data processing permitted?

The EU data protection rules, also known as the “General Data Protection Regulation” (or GDPR), describe different situations in which a company or organization is allowed to collect or reuse your information . personal :



  • when it has entered into a contract with you — for example, a contract for the supply of goods or services (when you make a purchase online) or a contract of employment;
  • where it complies with a legal obligation – for example, where the processing of your data is a legal requirement, such as where your employer provides information about your monthly remuneration to the social security body, so that you have social coverage;
  • where the data processing is in your vital interests – for example, where it could protect your life;
  • when it is charged with a mission of public order — in particular one of those incumbent on public establishments such as schools, hospitals and municipalities;
  • where legitimate interests are at stake — for example, if your bank uses your personal data to check whether you can get a savings account with a higher interest rate.

In all other situations, the company or organization must ask for your agreement (also called “consent”) before collecting or reusing your personal data.

Giving consent (“consent”) to the processing of data

When a company or organization asks for your consent, you must expressly indicate your agreement , for example by signing a consent form or by answering “yes” (instead of “no”) to a request for consent appearing clearly on a Web page.

It is not enough to object to the processing of your data, for example by ticking a box indicating that you do not wish to receive advertising emails. You must expressly give your consent and accept that your personal data will be kept and/or reused for this purpose.

In addition, you must receive the following information before giving your consent:

  • information about the company/organisation which will process your personal data, including its contact details, and the contact details of the data protection officer, if there is one;
  • the purpose for which the company/organization will use your data;
  • how long it intends to keep your data;
  • the contact details of any other company or organization that will receive your data;
  • information on your data protection rights (access, rectification, deletion, complaints and withdrawal of consent).

All this information must be presented in a clear and understandable way .

Withdrawal of consent to the use of personal data and right to object

If you have previously authorized a company or organization to use your personal data, you can contact the data controller (the person or body processing your personal data) and withdraw this authorization at any time . Once permission is withdrawn, the company or organization can no longer use your personal data .

When an organization processes your personal data for its own legitimate interest, in the context of a mission of general interest or on behalf of an authority, you may have the right to object. In certain specific cases, the general interest may prevail and the company or organization may be authorized to continue to use your personal data. This may be the case, for example, for statistical or scientific research purposes or for tasks carried out within the framework of the official activities of a public authority.

Companies wishing to send you direct marketing emails promoting the merits of particular brands or products must obtain your prior consent. However, if you are already a customer of a company, they may send you direct marketing emails about their own similar products or services. You have the right to object at any time to receiving these emails. In this case, the company must stop using your data immediately .

In any case, the company or organization concerned must always inform you of your right to object to the use of your personal data the first time it contacts you.

Real story

You can object to the use of your personal data for direct marketing purposes

Anatolios buys two tickets online to attend the concert of his favorite band. After his purchase, he begins to receive advertising emails for concerts and events that do not interest him. He then contacts the online ticketing company to ask them to stop sending him these advertisements. The company immediately removed it from its direct marketing lists, to the satisfaction of Anatolios, who no longer receives advertising emails from the company.

Specific rules for children

If your children want to use online services, such as social media, or download music or games, they will often need your consent , as a parent or legal guardian , as these services use Personal Data. personal of your children. They will no longer need parental consent once they turn 16 . Controls to verify parental consent must be effective: for example, sending a verification message to the email address of

Access to your personal data

You can request access to the personal data that a company or organization has about you, and you have the right to obtain a copy of this data, free of charge, in an accessible format. The company or organization concerned must respond to you within one month and provide you with a copy of your personal data and all relevant information relating to the way in which this data has been, or is being, used .

Real story

You have the right to know what data is stored about you and how it is used

Maciej from Poland signs up for his local supermarket’s loyalty program. Shortly after signing up, he begins to receive coupons that better match the purchases he makes. He then wonders if there is a link with the loyalty program, and asks the data protection officer of the supermarket what information is kept about him and how it is used. Maciej learns that the supermarket keeps data on the products he buys each week, so that they can provide him with coupons for the products he usually buys.

Rectify your personal data

If a company or organization keeps personal data about you that is inaccurate or incomplete, you can ask them to correct or update your data .

Real story

You have the right to rectify inaccurate data concerning you

Alison applies for a mortgage from her bank to buy a new house in Ireland. While completing the registration form, she makes a mistake in entering her date of birth, which results in the bank recording her age inaccurately in its system.

When Alison receives the bank’s quotes for her new mortgage and the life insurance that comes with it, she realizes her mistake, as the proposed insurance premium is much higher than her current premium. She contacts the bank to ask them to rectify her personal data in the system. She then receives a new version of the insurance proposal indicating her exact date of birth.

Transfer your personal data (right to data transfer)

In certain situations, you can ask a company or organization to resend your data to you or to transfer it directly to another company or organization , if it is technically possible. This is called “data transferability (or portability)”. You can exercise this right in particular if you decide to switch from one service to another similar service – for example, switch from one social media site to another – and you want your personal data to be quickly and easily transferred to the new service.

Deletion of your personal data (right to be forgotten)

If your personal data is no longer needed or if it is being used illegally, you can request that it be deleted. This is called the “right to be forgotten”.

These rules also apply to search engines , such as Google, which are also considered data controllers. You can request that links to web pages where your name appears be removed from results provided by search engines, if the information concerned is inaccurate, inadequate, irrelevant or excessive.

If a company has posted your personal data online and you ask them to delete that data and links to it, the company must also notify any other websites with which it has been shared.

In order to protect other rights, such as freedom of expression, certain data may not be automatically deleted. For example, controversial statements made in the public sphere might not be removed if keeping them online is in the public interest.

Real story

You can request that your personal data be deleted from other sites

Alfredo decides not to use any social media anymore; he therefore deletes his profile on the social media sites he was using. However, a few weeks later, when searching his name in a search engine, he finds that the profile photos of his old social media accounts are still visible online. Alfredo contacts the social media companies concerned and asks them to take the necessary steps to have these photos removed. When he performs the same search a month later, he finds that the photos have indeed been removed and no longer appear in the search engine results.

Unauthorized access to your data (data breach)

If your personal data is stolen or lost or unlawfully accessed — known as a ” personal data breach ” — the data controller (the person or body processing your personal data personnel) must inform the national data protection authority . The controller must also inform you directly if this breach results in a serious risk to your personal data or your privacy.

File a complaint

If you believe that your data protection rights have not been respected, you can lodge a complaint directly with your national data protection authority , who will examine your complaint and respond to you within three months.

You can also choose to sue the company or organization directly without first going through your national data protection authority.

You may be entitled to compensation if you have suffered material (such as financial loss) or moral (such as psychological suffering) damage because a company or organization failed to comply with EU protection rules Datas.

Use of cookies

Cookies are small text files that websites instruct your browser to store on your computer or mobile device. They are frequently used to make websites more efficient by saving your preferences. They are also used to track your internet usage as you browse, create your user profiles and display targeted online advertisements based on your preferences.

Any website wishing to use cookies must obtain your consent before placing a cookie on your computer or mobile device. A website cannot simply inform you that it uses cookies or explain how you can deactivate them.

Sites should explain how the information they collect through cookies will be used . You should also be able to withdraw your consent . If you make this choice, the site must continue to provide you with a ” minimum service “, by giving you access to some of its content, for example.

Not all cookies require your consent . Cookies used for the sole purpose of carrying out the transmission of a communication do not require consent. These include, for example, cookies used for “load balancing” (allowing requests from a web server to be distributed over a set of machines rather than just one). Cookies that are essential to provide you with an online service that you have explicitly requested also do not require consent. These are, for example, cookies used when you fill out an online form or when you use a shopping cart in an online store.

data protection rules protect your personal data wherever it is collected — for example, when you make an online purchase, apply for a job or apply for a bank loan. These rules apply to both companies and organizations (public and private), established in or outside the EU, which offer goods or services there , such as Facebook or Amazon, when they request or reuse the data. of a personal nature of EU citizens.

Regardless of the format of the data — online in a computer system or on paper in a structured record — where information directly or indirectly identifying you as an individual is stored or processed, your data protection rights must be respected.

When is data processing permitted?

The EU data protection rules, also known as the “General Data Protection Regulation” (or GDPR), describe different situations in which a company or organization is allowed to collect or reuse your information . personal :

  • when it has entered into a contract with you — for example, a contract for the supply of goods or services (when you make a purchase online) or a contract of employment;
  • where it complies with a legal obligation – for example, where the processing of your data is a legal requirement, such as where your employer provides information about your monthly remuneration to the social security body, so that you have social coverage;
  • where the data processing is in your vital interests – for example, where it could protect your life;
  • when it is charged with a mission of public order — in particular one of those incumbent on public establishments such as schools, hospitals and municipalities;
  • where legitimate interests are at stake — for example, if your bank uses your personal data to check whether you can get a savings account with a higher interest rate.

In all other situations, the company or organization must ask for your agreement (also called “consent”) before collecting or reusing your personal data.

Giving consent (“consent”) to the processing of data

When a company or organization asks for your consent, you must expressly indicate your agreement , for example by signing a consent form or by answering “yes” (instead of “no”) to a request for consent appearing clearly on a Web page.

It is not enough to object to the processing of your data, for example by ticking a box indicating that you do not wish to receive advertising emails. You must expressly give your consent and accept that your personal data will be kept and/or reused for this purpose.

In addition, you must receive the following information before giving your consent:

  • information about the company/organisation which will process your personal data, including its contact details, and the contact details of the data protection officer, if there is one;
  • the purpose for which the company/organization will use your data;
  • how long it intends to keep your data;
  • the contact details of any other company or organization that will receive your data;
  • information on your data protection rights (access, rectification, deletion, complaints and withdrawal of consent).

All this information must be presented in a clear and understandable way .

Withdrawal of consent to the use of personal data and right to object

If you have previously authorized a company or organization to use your personal data, you can contact the data controller (the person or body processing your personal data) and withdraw this authorization at any time . Once permission is withdrawn, the company or organization can no longer use your personal data .

When an organization processes your personal data for its own legitimate interest, in the context of a mission of general interest or on behalf of an authority, you may have the right to object. In certain specific cases, the general interest may prevail and the company or organization may be authorized to continue to use your personal data. This may be the case, for example, for statistical or scientific research purposes or for tasks carried out within the framework of the official activities of a public authority.

Companies wishing to send you direct marketing emails promoting the merits of particular brands or products must obtain your prior consent. However, if you are already a customer of a company, they may send you direct marketing emails about their own similar products or services. You have the right to object at any time to receiving these emails. In this case, the company must stop using your data immediately .

In any case, the company or organization concerned must always inform you of your right to object to the use of your personal data the first time it contacts you.

Real story

You can object to the use of your personal data for direct marketing purposes

Anatolios buys two tickets online to attend the concert of his favorite band. After his purchase, he begins to receive advertising emails for concerts and events that do not interest him. He then contacts the online ticketing company to ask them to stop sending him these advertisements. The company immediately removed it from its direct marketing lists, to the satisfaction of Anatolios, who no longer receives advertising emails from the company.

Specific rules for children

If your children want to use online services, such as social media, or download music or games, they will often need your consent , as a parent or legal guardian , as these services use Personal Data. personal of your children. They will no longer need parental consent once they turn 16 (in some EU member states this age limit can be lowered to 13). Controls to verify parental consent must be effective: for example, sending a verification message to the email address of

Access to your personal data

You can request access to the personal data that a company or organization has about you, and you have the right to obtain a copy of this data, free of charge, in an accessible format. The company or organization concerned must respond to you within one month and provide you with a copy of your personal data and all relevant information relating to the way in which this data has been, or is being, used .

Real story

You have the right to know what data is stored about you and how it is used

Maciej from Poland signs up for his local supermarket’s loyalty program. Shortly after signing up, he begins to receive coupons that better match the purchases he makes. He then wonders if there is a link with the loyalty program, and asks the data protection officer of the supermarket what information is kept about him and how it is used. Maciej learns that the supermarket keeps data on the products he buys each week, so that they can provide him with coupons for the products he usually buys.

Rectify your personal data

If a company or organization keeps personal data about you that is inaccurate or incomplete, you can ask them to correct or update your data .

Real story

You have the right to rectify inaccurate data concerning you

Alison applies for a mortgage from her bank to buy a new house in Ireland. While completing the registration form, she makes a mistake in entering her date of birth, which results in the bank recording her age inaccurately in its system.

When Alison receives the bank’s quotes for her new mortgage and the life insurance that comes with it, she realizes her mistake, as the proposed insurance premium is much higher than her current premium. She contacts the bank to ask them to rectify her personal data in the system. She then receives a new version of the insurance proposal indicating her exact date of birth.

Transfer your personal data (right to data transfer)

In certain situations, you can ask a company or organization to resend your data to you or to transfer it directly to another company or organization , if it is technically possible. This is called “data transferability (or portability)”. You can exercise this right in particular if you decide to switch from one service to another similar service – for example, switch from one social media site to another – and you want your personal data to be quickly and easily transferred to the new service.

Deletion of your personal data (right to be forgotten)

If your personal data is no longer needed or if it is being used illegally, you can request that it be deleted. This is called the “right to be forgotten”.

These rules also apply to search engines , such as Google, which are also considered data controllers. You can request that links to web pages where your name appears be removed from results provided by search engines, if the information concerned is inaccurate, inadequate, irrelevant or excessive.

If a company has posted your personal data online and you ask them to delete that data and links to it, the company must also notify any other websites with which it has been shared.

In order to protect other rights, such as freedom of expression, certain data may not be automatically deleted. For example, controversial statements made in the public sphere might not be removed if keeping them online is in the public interest.

Real story

You can request that your personal data be deleted from other sites

Alfredo decides not to use any social media anymore; he therefore deletes his profile on the social media sites he was using. However, a few weeks later, when searching his name in a search engine, he finds that the profile photos of his old social media accounts are still visible online. Alfredo contacts the social media companies concerned and asks them to take the necessary steps to have these photos removed. When he performs the same search a month later, he finds that the photos have indeed been removed and no longer appear in the search engine results.

Unauthorized access to your data (data breach)

If your personal data is stolen or lost or unlawfully accessed — known as a ” personal data breach ” — the data controller (the person or body processing your personal data personnel) must inform the national data protection authority . The controller must also inform you directly if this breach results in a serious risk to your personal data or your privacy.

File a complaint

If you believe that your data protection rights have not been respected, you can lodge a complaint directly with your national data protection authority , who will examine your complaint and respond to you within three months.

You can also choose to sue the company or organization directly without first going through your national data protection authority.

You may be entitled to compensation if you have suffered material (such as financial loss) or moral (such as psychological suffering) damage because a company or organization failed to comply with EU protection rules Datas.

Use of cookies

Cookies are small text files that websites instruct your browser to store on your computer or mobile device. They are frequently used to make websites more efficient by saving your preferences. They are also used to track your internet usage as you browse, create your user profiles and display targeted online advertisements based on your preferences.

Any website wishing to use cookies must obtain your consent before placing a cookie on your computer or mobile device. A website cannot simply inform you that it uses cookies or explain how you can deactivate them.

Sites should explain how the information they collect through cookies will be used . You should also be able to withdraw your consent . If you make this choice, the site must continue to provide you with a ” minimum service “, by giving you access to some of its content, for example.

Not all cookies require your consent . Cookies used for the sole purpose of carrying out the transmission of a communication do not require consent. These include, for example, cookies used for “load balancing” (allowing requests from a web server to be distributed over a set of machines rather than just one). Cookies that are essential to provide you with an online service that you have explicitly requested also do not require consent. These are, for example, cookies used when you fill out an online form or when you use a shopping cart in an online store.

Protect your Personal Information and privacy with Incogni .