What are your rights under GDPR

When a cookie banner pops up, you probably accept the terms and continue with your scrolling. You’re not the first or the last, but if you stop for a second and think about it: do you know what happens with your personal data after you click on “allow cookies”? 

You (the data subject) always have the right to be informed before your personal data is processed. If you request a business or organisation to send information about the handling of your personal data. Remember:

  1. It’s always free of charge
  2. It should be provided to you in a written, accessible form with a simple and clear language

With this article, I want to remind you that you have rights when it comes to how companies, organisations and authorities handle your personal data. Read through the summary of the terms, and keep them in the back of your mind every time you accept a cookie banner online.

Right to rectification

Have you noticed that a company or authority possesses inaccurate information about you? Well, then you have the right to rectify. This also means you have the right to add personal data about you which can be relevant taking into account. The GDPR fundamental principles states that the responsibility for your data being accurate and up to date lies on the entity which is processing it.

Right to erasure

You have the right to contact a company or authority and request the data related to you be erased. In the following cases, this applies:

  • If the data is no longer needed for the purpose for which it was collected
  • If the processing is based on your consent and you withdraw it
  • If the processing is carried out for direct marketing and you object to the data being processed
  • If you object to personal data processing in the context of exercise of official authority or after a weighing of interests and there are no legitimate reasons that override your interests
  • If the personal data has been processed unlawfully
  • If erasure is required to fulfil a legal obligation
  • If the personal data relates to a child and was collected in conjunction with the child creating a profile on a social network
  • If data is erased at your request, the company or authority must also inform those to whom they have provided data of the erasure. This does not apply if it should prove to be impossible or would involve excessive effort. You also have the right to request to be given information about to whom data has been provided.

Right to limitation of processing

In certain cases, you have the right to demand that the processing of your personal data is limited. This means that your data is “flagged” so it may only be processed for limited purposes in the future. You’re right to limitation applies when you consider your data is inaccurate and have requested a rectification.

Data portability

You have the right to obtain and reuse your personal data for your own purposes across different services. This allows you to move, copy or transfer your data easily from one IT environment to another in a secure way without affecting its usability. Remember, it only applies to the information you’ve already provided to a controller.

Right to object

In certain cases, you have the right to object to your personal data being used. This applies when your data is processed to carry out a task in the public interest. If you object in a case like this, the data controller may continue the process, but only if there are legitimate reasons to why it has to be processed. When it comes to direct marketing, you can make an objection at any time. This will result in your personal data will no longer be processed for such marketing purposes.

Automated decision-making, including profiling

If a decision is only based on some form of automated decision-making, including profiling, you have the right to not be the subject of the decision. This right applies if it can have legal consequences or affect you to a considerable degree. Example of automated decision-making: an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.


If you suspect that someone is processing data related to you in a way that questions the GDRP – file a complaint through the Swedish authority for privacy protection. Here you can file a complaint.


Have you been harmed by your data being processed? Then you can request damages from the data controller or the data processor, or take legal action. If you have been harmed, you have the right to be paid compensation by the data controller or processor. They have the right to refuse to pay compensation if they can demonstrate that they were not responsible for the harm.

I hope you feel more comfortable when spending time in the digital world, now when knowing your rights. For more detailed information, visit: imy.se 

Would you like to get more insights like this one?

Make sure to read our blog articles, or follow us so you don’t miss our latest updates.

Scroll to Top