In force since May 2018, the General Data Protection Regulation (GDPR) transformed how organizations handle your personal data. Yet many users still don't know their concrete rights. Here's a practical guide to understanding and exercising them.

What Is GDPR?

GDPR is a European regulation that applies to any organization processing personal data of EU residents, regardless of where the organization is located.

Its founding principles:

  • Lawfulness: your data can only be processed for legal and declared purposes
  • Data minimization: only strictly necessary data can be collected
  • Accuracy: your data must be accurate and up to date
  • Storage limitation: your data cannot be kept indefinitely
  • Integrity and confidentiality: your data must be protected by appropriate security measures

Your Fundamental Rights Under GDPR

Right of Access (Article 15)

You have the right to ask any organization what personal data it holds about you, why it processes it, and who it shares it with. The response must be provided within one month, free of charge.

How to exercise it: Send an access request by email to the organization's Data Protection Officer (DPO), or use dedicated forms on their website.

Right to Rectification (Article 16)

If your data is inaccurate or incomplete, you can request its correction. Organizations have one month to respond.

Right to Erasure (Article 17) — The "Right to Be Forgotten"

You can request deletion of your data in several cases:

  • It's no longer necessary for the purposes for which it was collected
  • You withdraw consent
  • You object to processing
  • Your data was processed unlawfully

This right is however limited: it doesn't apply if retention is necessary to comply with a legal obligation or for reasons of public interest.

Right to Data Portability (Article 20)

You can retrieve your data in a structured, machine-readable format and transfer it to another provider. This is particularly useful for switching social networks or cloud services.

Right to Object (Article 21)

You can object to the processing of your data, particularly for direct marketing purposes. The organization must stop processing unless it demonstrates compelling legitimate grounds.

Right to Restriction of Processing (Article 18)

In certain situations (contested data, unlawful processing, etc.), you can request that processing be suspended without the data being deleted.

How to File a Complaint

If you believe your rights aren't being respected:

  1. Contact the organization first to try to resolve the issue amicably
  2. File a complaint with your national authority (ICO in the UK, CNIL in France, etc.)
  3. Take legal action if necessary — GDPR provides for fines up to 4% of the company's global revenue

GDPR and Digital Legacy

GDPR raises a rarely asked question: what happens to your personal data after death?

In principle, GDPR only applies to living people. However, some platforms allow designating a digital legacy contact. Some national laws go further and recognize heirs' rights to access a deceased person's data.

To prepare for this, it's advisable to create a digital will that tells your loved ones how to access your accounts and what to do with them.

What EchoPass Does for Your GDPR Compliance

At EchoPass, GDPR compliance is a priority:

  • Data minimization: we only collect what's strictly necessary
  • End-to-end encryption: your messages are unreadable to us
  • Swiss hosting: enhanced legal protection under Swiss nLPD
  • Right to erasure: you can delete your account and all your data at any time

Our privacy policy details all these practices.

Discover how EchoPass protects your data.