How to gain control over your personal data used by companies?

In the case of requests related to personal data, a corresponding request has to be sent to the company, however, one should be ready that the company might ask for personal identification or refuse to accept the request at all.

Pursuant to the provisions of the General Data Protection Regulation (GDPR), which was altered on 25 May, enterprises have an obligation to be more careful when processing personal data, and people have more control over their data.

The right to familiarise oneself with personal data and the purpose of processing it has been set out already earlier, however, the right to have one’s data erased (right to be forgotten) and right to data portability has been added.

In order to use your rights, all you need to do is send a letter containing a corresponding request to the company. However, people have to be ready because companies can now request personal identification in order to avoid fraud. Therefore, it is a good idea to sign your claim digitally to speed up the process.

However, not all rights can be executed and companies might not accept the requests of all clients. If debtors have been entered into the so-called blacklist and they request the erasure of their data pursuant to the regulation, then the company may have a basis for refusing to do that.

If consumers clearly use this right to erase their mistakes, the company has the right to resist it. If a consumer asks that their data be erased and this data is no longer necessary to fulfill obligations arising from an agreement or legislation, the entrepreneur has no reason to oppose the consumer.

Refusal to erase data is allowed because the entrepreneur’s right to protect itself from a bad transaction overrides the debtor’s right to personal data protection. At the same time, companies have to set out, in their conditions for processing personal data, how they delete personal data and in which cases the data is stored on the grounds of legitimate interests, for example, to resolve frauds or debts.

This is only one of the rights

The erasure of data is, however, one right among many. According to the GDPR, people already had the right to obtain information about their data and the right to request the rectification of data earlier as well. A person can also ask a company about how his or her personal data is protected and to whom it is transferred.

They have added a right to data portability, which means that the entrepreneur has to send the person’s personal data in a structured, commonly used, and machine-readable format. It is also possible to request that this data be transmitted directly to another service provider.

Such data can be, for example, electricity consumption history, purchase history in a store, or data in an app about the activities of the user of the app.

Get the latest about Hedman law firm


Our memberships:
FinanceEstonia, Lexing®,
Estonian Service Industry Association,
Estonian Chamber of Commerce and Industry,
EstVCA, EstBan, FECC,
IBA & IBA European regional Forum