GDPR (General Data Protection Regulation) is the most important law regarding personal data protection in the European Union. Introduced in 2018, GDPR gives consumers significant rights in case of data breaches and improper processing of personal data.

According to the latest statistics, over 1,000 data breaches are reported daily across the entire EU since GDPR introduction. What's worse, many companies still don't comply with GDPR or hide breaches from users.

Do you know what rights you have as a consumer in case of data breach? Do you know you can claim compensation? In this comprehensive guide, we'll explain all rights under GDPR and show you how to use them.

---

1. What is GDPR? The Basics

Definition of GDPR

GDPR (General Data Protection Regulation) is an EU regulation that came into effect on May 25, 2018. It replaced previous personal data protection laws and introduced uniform rules across the entire European Union.

Main goals of GDPR:

• Protection of EU citizens' personal data
• Increased control over own data
• Enforcement of accountability on companies processing data
• Unification of laws across the entire EU

Who Does GDPR Apply To?

GDPR applies to:

• All companies operating in the EU
• Companies outside EU that process EU citizens' data
• Public and private organizations
• Small and large companies (no exceptions)

GDPR does NOT apply to:

• Data processed for personal purposes (e.g., private notes)
• Data processed for national security purposes
• Some cases of data processing by law enforcement

---

2. Your Rights as a Consumer Under GDPR

1. Right to Information

What it means:

• You have the right to know what data is being processed
• You have the right to know the purpose of data processing
• You have the right to know who has access to your data

How to exercise:

• Ask company for information about processed data
• Company must respond within 30 days
• Response must be free

2. Right of Access

What it means:

• You have the right to receive a copy of all your data
• You have the right to know where data comes from
• You have the right to know who data is shared with

How to exercise:

• Ask company for a copy of your data
• Company must provide data within 30 days
• Data must be in readable format

3. Right to Rectification

What it means:

• You have the right to correct inaccurate data
• You have the right to complete incomplete data
• Company must correct data without undue delay

How to exercise:

• Report inaccurate data to company
• Company must correct data within 30 days
• Company must inform other recipients about corrections

4. Right to Erasure ("Right to Be Forgotten")

What it means:

• You have the right to request deletion of your data
• Company must delete data if there's no legal reason to keep it
• Company must inform other recipients about deletion

When you can request erasure:

• Data is no longer needed for purposes it was collected
• You withdraw consent for processing
• Data is processed unlawfully
• Data must be deleted to comply with legal obligation

5. Right to Restrict Processing

What it means:

• You have the right to request restriction of data processing
• Company can store data but cannot process it
• Right applies until dispute is resolved

When you can request restriction:

• You contest accuracy of data
• Processing is unlawful
• Company no longer needs data but you do

6. Right to Data Portability

What it means:

• You have the right to receive your data in structured format
• You have the right to transfer data to another provider
• Company must facilitate data transfer

How to exercise:

• Ask company for data in JSON or CSV format
• Company must provide data within 30 days
• You can transfer data to another provider

7. Right to Object

What it means:

• You have the right to object to processing for marketing purposes
• You have the right to object to processing for statistical purposes
• Company must stop processing unless it has legitimate reasons

How to exercise:

• Object to company
• Company must stop processing for marketing purposes
• Company can continue processing only in justified cases

8. Right to Information About Data Breach

What it means:

• You have the right to be notified about data breach within 72 hours
• Notification must be clear and understandable
• Notification must contain information about breach consequences

When company must notify you:

• Breach may pose risk to your rights and freedoms
• Breach may lead to identity theft
• Breach may lead to financial fraud

---

3. Data Breaches and GDPR - Company Obligations

Obligation to Notify About Breach

When company must notify:

• Within 72 hours of breach detection
• If breach may pose risk to rights and freedoms
• If breach may lead to harm

What notification must contain:

• Description of breach
• Categories of data that leaked
• Possible consequences of breach
• Steps company took to fix situation
• Recommendations on what you can do

Obligation to Notify Users

When company must notify users:

• If breach may pose high risk to rights and freedoms
• If breach may lead to identity theft
• If breach may lead to financial fraud

How company must notify:

• Directly (email, SMS, letter)
• In clear and understandable way
• Without undue delay

Obligation to Document Breaches

What company must document:

• All data breaches
• Breach circumstances
• Breach consequences
• Remedial steps

Why it's important:

• Data protection authority can request documentation
• Documentation may be needed for claims
• Helps prevent future breaches

---

4. How to Report Data Breaches?

When to Report Breach?

Report breach if:

• Your data leaked without your knowledge
• Company did not notify you about breach
• Breach may lead to harm
• Company does not comply with GDPR

Where to Report Breach?

1. Data Protection Authority (DPA)

• Main supervisory authority in your country
• You can report breach online or by mail
• DPA can impose fines on company

How to report:

• Fill out form on DPA website
• Describe breach and its consequences
• Attach documents (if you have)

2. Company That Caused Breach

• Report breach directly to company
• Ask for explanations
• Ask for information about remedial steps

3. Police

• If breach leads to crime
• If you've been a victim of fraud
• If your data is being used illegally

---

5. Compensation for Data Breaches

When Can You Claim Compensation?

You can claim compensation if:

• Company violated GDPR provisions
• Breach caused material or non-material damage
• Company did not notify you about breach within 72 hours
• Company did not take appropriate remedial steps

What Damages Can You Claim?

1. Material Damage

• Financial loss caused by breach
• Costs of changing passwords and security
• Costs of monitoring accounts
• Loss caused by fraud

2. Non-Material Damage

• Stress and anxiety
• Privacy violation
• Loss of control over data
• Loss of trust

How to Claim Compensation?

1. Contact Company

• Write to company about compensation
• Describe damages you suffered
• Ask for compensation

2. Contact DPA

• Report GDPR violation
• DPA can impose fines on company
• DPA can help with claims

3. Contact Lawyer

• If damages are significant
• If company doesn't want to pay compensation
• If you need legal help

---

6. Fines for GDPR Violations

What Fines Can DPA Impose?

1. Financial Fines

• Up to 20 million euros or 4% of annual turnover (whichever is higher)
• Fines for serious violations
• Fines for not notifying about breach

2. Order to Stop Processing

• DPA can order company to stop processing data
• DPA can order data deletion
• DPA can order security improvements

3. Public Announcement of Violation

• DPA can announce violation publicly
• This may harm company reputation
• This may help other victims

Examples of Fines Imposed by DPAs

1. Google - 50 Million Euros (2019)

• French DPA imposed fine for lack of transparency
• Google did not obtain proper consent for data processing
• Largest fine in GDPR history (at that time)

2. British Airways - 183 Million Pounds (2019)

• Data breach of 500,000 customers
• Fine for improper security
• Eventually reduced to 20 million pounds

3. Marriott - 99 Million Pounds (2019)

• Data breach of 500 million guests
• Fine for improper security
• Eventually reduced to 18.4 million pounds

---

7. How to Protect Yourself from Data Breaches?

Basic Rules

1. Limit Data Sharing

• Don't provide more data than necessary
• Check if company really needs data
• Read privacy policies

2. Check Data Breaches

• Check free report on Privaro - has your data been breached?
• Regularly check if your data is in breach databases
• Privaro offers 24/7 monitoring - notifications within 24h

3. Use Strong Passwords

• Minimum 12 characters
• Mix of letters, numbers, and symbols
• Different passwords for different accounts
• Password manager

4. Enable 2FA

• Even if password leaks, 2FA protects
• Enable on all important accounts
• Use authorization apps

5. Monitor Your Accounts

• Regularly check bank transactions
• Check account activity
• Set up notifications for suspicious activity

---

8. What to Do If Your Data Has Been Breached?

Immediate Actions

1. Check What Data Leaked

• Check free report on Privaro
• Find out which data leaked
• Assess risk

2. Change Passwords

• All accounts that used the same password
• Start with most important (bank, email)
• Use strong, unique passwords

3. Enable 2FA

• If you don't have 2FA enabled yet - do it now
• This is additional layer of protection
• Even if password leaks, 2FA protects

4. Report Breach

• Report to DPA
• Report to company that caused breach
• Report to police (if it's a crime)

5. Claim Compensation

• If you suffered damages - claim compensation
• Contact company
• Contact lawyer (if needed)

6. Enable Professional Monitoring

• Privaro offers 24/7 data breach monitoring
• You'll receive notifications when your data appears in new breaches
• Detailed reports on all detected breaches

---

9. Most Common GDPR Violations

1. Failure to Notify About Breach

Problem:

• Companies often hide breaches
• Don't notify users within 72 hours
• Don't notify at all

What you can do:

• Check if your data has been breached - Privaro
• Report lack of notification to DPA
• Claim compensation

2. Improper Consent for Processing

Problem:

• Companies often force consent
• Consent is not voluntary
• Consent is not informed

What you can do:

• You can withdraw consent at any time
• Report improper consent to DPA
• Ask for data deletion

3. Processing Without Legal Basis

Problem:

• Companies process data without legal basis
• Process data for purposes you didn't consent to
• Process data longer than necessary

What you can do:

• Ask for information about legal basis
• Report violation to DPA
• Ask for data deletion

4. Improper Security

Problem:

• Companies don't apply appropriate security
• Data is stored in unencrypted form
• Lack of breach monitoring

What you can do:

• Report lack of security to DPA
• Demand security improvements
• Consider changing service provider

---

10. Summary - Your Checklist

✅ Your Rights Under GDPR:

• Right to information about processed data
• Right of access to your data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object
• Right to information about data breach

✅ If Your Data Has Been Breached:

• Check what data leaked - Check free report on Privaro
• Change all passwords
• Enable 2FA everywhere
• Report breach to DPA
• Report breach to company
• Claim compensation (if you suffered damages)
• Enable professional monitoring - Privaro offers 24/7 monitoring

✅ Always Remember:

• Company must notify you about breach within 72 hours
• You have the right to compensation for damages
• You can report GDPR violation to DPA
• Regularly check if your data has been breached

---

Don't Wait - Exercise Your Rights!

GDPR gives you significant rights as a consumer. Don't let companies ignore them. If your data has been breached or is being processed improperly - act!

Remember:

• 1,000 data breaches per day across the entire EU
• 72 hours - time company has to notify about breach
• Up to 20 million euros - maximum fine for GDPR violation

Protect yourself now:

1. Check if your data has been breached - Generate a free report on Privaro. It takes less than 10 seconds.

2. Enable professional monitoring - Privaro offers 24/7 data breach monitoring. You'll receive notifications within 24 hours of breach detection.

3. Know your rights - exercise rights under GDPR. If your data has been breached - act!

Your rights are protected by GDPR. Don't let companies ignore them.

---

Remember: GDPR is not just regulations - it's a tool to protect your data. Know your rights and exercise them. If something is wrong - act!

This article was created by the Privaro team - experts in data protection and cybersecurity.