What information am I entitled to under GDPR?

Asked by: Elaina Schaefer  |  Last update: May 12, 2026
Score: 5/5 (69 votes)

Under the General Data Protection Regulation (GDPR), you're entitled to significant control and transparency over your personal data, including rights to access, rectify, erase (be forgotten), restrict processing, port your data, and object to certain processing, plus the right to be informed about how organizations collect and use your information. You can demand details on processing purposes, legal basis, storage, sharing, and automated decision-making.

What information are you entitled to under GDPR?

In terms of content, the controller's obligation to inform includes his identity, the contact data of the Data Protection Officer (if available), the processing purposes and the legal basis, any legitimate interests pursued, the recipients when transmitting personal data, and any intention to transfer personal data to ...

What pieces of information are protected under GDPR?

GDPR Personal Data

Only if a processing of data concerns personal data, the General Data Protection Regulation applies. The term is defined in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person.

What personal data is not covered by GDPR?

Information which is truly anonymous is not covered by the UK GDPR. If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

What are the 7 main principles of GDPR?

The 7 principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness & Transparency (process data legally, fairly, openly); Purpose Limitation (use data only for specified, legitimate reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity & Confidentiality (secure the data); and Accountability (demonstrate compliance).
 

What are the 7 principles of GDPR?

23 related questions found

What are the 8 rules of GDPR?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What happens if you violate GDPR?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

Is an email address personal data under GDPR?

A work email address is personal data under the UK GDPR if it can identify a specific individual. Generic addresses (such as info@company.co.uk) are less likely to be personal data, but this depends on context. If an email address is personal data, you must handle it in line with GDPR and PECR rules.

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

What counts as sensitive personal data in GDPR?

genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation.

What is not a personal data in GDPR?

In terms of origin, non-personal data can be data which never related to natural persons (such as data on weather or supply chains), or data which was initially personal data, but has been anonymised (through use of certain techniques to ensure that individuals to whom the data relates to cannot be identified).

Are photos personal data under GDPR?

The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

What are 5 examples of personal data?

What is personal data?

  • a name and surname.
  • a home address.
  • an email address such as 'name.surname@company.com '
  • an Internet Protocol (IP) address.
  • an identification card number.
  • a cookie ID.
  • the advertising identifier of your phone.
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

What is considered a person's personal data?

Personal data can cover various types of information, such as name, date of birth, email address, phone number, address, physical characteristics, or location data – once it is clear to whom that information relates, or it is reasonably possible to find out.

What are the five rights of individuals?

The human rights that are covered by the Act

Article 2: Right to life. Article 3: Freedom from torture and inhuman or degrading treatment. Article 4: Freedom from slavery and forced labour. Article 5: Right to liberty and security.

What information can I ask for in a subject access request?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

What are the 10 key requirements of GDPR?

  • 10 key GDPR requirements. ...
  • Lawful, fair, and transparent processing. ...
  • Purpose, data, and storage limitation. ...
  • Data accuracy and security. ...
  • Data Protection Impact Assessments (DPIAs) ...
  • Privacy by design and default. ...
  • Controller–Processor contracts (Article 28) ...
  • Data subject rights enablement.

How do I comply with GDPR requirements?

GDPR Requirements for U.S. Companies

  1. Determine Scope of Compliance. ...
  2. Audit Data Processing Activities. ...
  3. Establish a Legal Basis for Processing Data. ...
  4. Update Privacy Policies and Notices. ...
  5. Appoint a Data Protection Officer. ...
  6. Designate an EU Representative. ...
  7. Implement Data Protection Safeguards. ...
  8. Prepare for Data Breaches.

What are the 7 regulations of GDPR?

The 7 core principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for specified reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity and Confidentiality (secure the data); and Accountability (be responsible for compliance). These principles guide how organizations must handle personal data, focusing on protecting individuals' privacy rights.
 

What is not classed as personal data in GDPR?

Information concerning a 'legal' rather than a 'natural' person is not personal data. Consequently, information about a limited company or another legal entity, which might have a legal personality separate to its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.

Can I read my employees' emails?

Employers can access stored emails located on the company system but cannot access private emails. The Computer Fraud and Abuse Act (CFAA). Initially enacted to address computer hacking. However, it also applies to employers whose monitoring goes beyond what they are authorized.

Are emails considered confidential information?

Email might feel like a private, one-to-one conversation safe from prying eyes, but email generally isn't confidential. Your messages can be intercepted and read anywhere in transit or reconstructed and read off of backup devices for a potentially infinite period of time.

What can you not do under GDPR?

GDPR does not apply to data processing for security purposes or for preventing, investigating, detecting, or prosecuting criminal offences. The exemption applies if you can prove that complying with relevant rules endangers national security.

What are some famous GDPR breach examples?

  • Meta's 1.2 billion euro fine: The cross-border data transfer debacle.
  • Google's violation of GDPR's right to be forgotten.
  • Twitter's failure to notify the breach.
  • Cathay Pacific: A wake-up call for the industry.
  • TIM S.P.A – failure to uphold data subjects' rights.
  • Make GDPR compliance easy and your default state with Sprinto.

Can GDPR be enforced in the US?

GDPR enforcement in the US comes from EU Data Protection Authorities (DPAs), rather than US regulators. This might seem counterintuitive, but it's how the regulation is designed to work across borders. EU Data Protection Authorities have full jurisdiction over US companies that process EU personal data.