Many companies (e.g. social media platforms and email providers) have as a large component of their business model to collect your personal data and share it with third parties. They are using the personal data they get from your public profile on their online platform to map your virtual identity. Bear in mind that they may use even more information than the one you actively share with them. This could for example be tracking of your email, location or the pages you show interest in. All of the information they manage to collect about you, your interests and your preferences, contribute to the mapping of your virtual identity. The companies then monetize on your personal data for targeted advertising.
Special Eurobarometer 487b QB11, 2019
The Commission has conducted a questionnaire about Europeans social media habits. They asked 27 000 Europeans if they had ever tried to change their privacy settings regarding their own personal profile on an online social network.
The answer the Commission got was that the majority (56 %) of the people actually tried to change their privacy settings. 1 % answered “don’t know”. Thus, there was a large group (43 %) of the people asked that answered “no” to the question. The main reasons behind it was that they trusted the sites to set appropriate privacy settings, closely followed by the answer that they did not know how to change the settings.
How to take control of your virtual identity
With GDPR came new rules on data protection, and with this came enhanced rights for the data subjects. If the company is processing your data based on consent, you as a data subject always have the right to withdraw that consent. But how do you know if they are processing based on consent? It is actually quite easy;
- Firstly, they have to inform you that they want to process your data based on your consent.
- Secondly, this consent has to be expressed through an affirmative action from your side.
- The consent should also be freely given! They can never force you to give it.
For you as a data subject it is furthermore always a good idea to read through the terms and conditions of the online platforms you use, especially in regard to disclosure of your data to third parties.
Not happy with how your data is being used?
If a company is not corresponding with the rules on data protection, you can always lodge a complaint with your own national Data Protection Authority. If you have been harmed by your data being processed wrongly, you may also be entitled to damages from the controller(s) or processor(s) involved in the processing.
GDPR gives, beyond what is stated above, the data subject certain rights that are good to keep in mind;
- Right to information, when your data is being processed.
- Right to rectification, when data being processed is inaccurate or missing important information.
- Right to erasure, e.g. if the data is no longer needed for the purposes for which it was collected.
- Right to limitation of processing, e.g. in relation to when you as a data subject think the data is inaccurate and has requested rectification.
- Data portability, if the legal base is consent or the performance of a contract and you as a data subject e.g. want the personal data to be transferred from one social media account to another.
- Right to object, in certain cases you as a data subject can object to your data being used e.g. when the data is being processed in order to carry out a task in the public interest or for direct marketing.
Thus, as a starting point: keep you rights in mind, make sure to optimize your privacy settings and take control over your own virtual identity!
What companies should think about in this regard
You as a data controller always have to inform the data subject when you are processing his/her data. In short, you have to state that you are processing the data, what specific data is being processed and why you process it. You also have to inform the data subject if you are providing the data to a third party.
When you are processing personal data, you need to base it on a legal ground. As stated above, the legal ground “consent” can always be withdrawn by the data subject and is therefore a legal ground you should use only if no other legal ground is applicable in your specific case. If you want to know what other legal grounds there is, we have a blog post coming up soon describing the six different legal grounds and when they should be used.
If you have any further questions regarding GDPR or your responsibilities as a data controller/processor you are more than welcome to contact us at GDPR Hero via email firstname.lastname@example.org or phone 046 – 273 17 17. You can also book a free demonstration of our GDPR compliance tool here.