What rights do I actually have over my personal data in 2026?

Quick answer

In the EU, UK, and a growing number of countries, you have legal rights to see what a company holds about you, get it corrected if wrong, get it deleted in many cases, get a portable copy, and object to certain uses — and these rights are free, the company has roughly one month to respond, and you can complain to a regulator if they ignore you.

What it's NOT

Personal-data rights are NOT only an EU thing — the UK kept its version after Brexit, and California, Colorado, Virginia, Brazil, South Korea, Japan, and many others now have similar laws. They are NOT only about cookie banners (that is the most visible 1%). And they are NOT theoretical: regulators in France (CNIL), Ireland (DPC) and Germany have issued fines in the hundreds of millions for ignoring them.

More context

The General Data Protection Regulation (GDPR) entered into force in May 2018 across the EU and EEA, with the UK keeping a near-identical version (UK GDPR) after Brexit. It gives every individual — not just EU citizens, but any natural person whose data is processed by an organisation operating in or targeting the EU — a structured set of enforceable rights over their personal data. In 2026, similar frameworks exist in California (CCPA/CPRA), Brazil (LGPD), Japan (APPI), South Korea (PIPA), and a growing list of US states. The rights below are GDPR-specific, but most translate to the others.

The rights, in plain English:

  • Right to information (Articles 13-14). When a company collects data from you (or about you from somewhere else), they must tell you what they are collecting, why, for how long, who they share it with, and what your rights are. This is the source of “privacy policy” pages, however unread they may be.
  • Right of access (Article 15). You can ask any company holding data about you for a complete copy, free of charge, within one month. The answer is often eye-opening — every email you sent, every page you viewed, every interaction with their support team.
  • Right to rectification (Article 16). If data they hold is wrong (your address, your name, your birthdate), you can require correction. Common in credit-reporting and insurance contexts.
  • Right to erasure (Article 17), commonly called the “right to be forgotten”. You can require deletion in many circumstances — withdrawn consent, data no longer needed, unlawful processing — subject to balance with legal obligations, public-interest archives, and freedom of expression.
  • Right to restrict processing (Article 18). A pause button — they keep the data but stop processing it while a dispute is resolved.
  • Right to data portability (Article 20). A machine-readable copy of data you provided, optionally transmitted directly to another provider.
  • Right to object (Article 21). Especially against direct marketing — that one is absolute, they must stop. For other processing based on legitimate interest, they can argue overriding grounds.
  • Rights related to automated decisions (Article 22). If a decision affecting you is made purely by algorithm and produces legal or similarly significant effects (credit-scoring, automatic claim rejection, recruitment filtering), you can require human review.
  • Right not to be subject to a data breach unnotified (Article 34). Companies must tell you, in clear language, within reasonable time, when a breach is likely to cause significant risk to your rights. See data breach.
  • Right to lodge a complaint (Article 77). Free, online, in your language. To the CNIL in France, the ICO in the UK, your national DPA elsewhere in the EU.
  • Right to a judicial remedy (Articles 78-79). You can go to court against the company or against the regulator. Material and moral damages can be claimed.

How to actually use these:

  1. Find the company’s Data Protection Officer or privacy contact. It is in the privacy policy or at dpo@company.com / privacy@company.com. They are required to respond.
  2. Write a clear request. Cite the article (“I am exercising my right of access under Article 15 GDPR” / “right to erasure under Article 17 GDPR”). Identify yourself sufficiently to be recognised. Templates exist on the CNIL and ICO sites.
  3. Wait up to one month. The deadline can extend by two more months for complex requests, but the company must tell you within the first month.
  4. If they ignore or refuse, complain. CNIL in France, ICO in the UK, the national DPA elsewhere. The complaint is free and online.
  5. Document everything. Date of request, copy of correspondence. If you ever need to claim damages, this is your evidence.

In 2026, the realistic state of GDPR is: large companies have professionalised their response (you will get a portal or an automated workflow); medium ones respond reasonably but slowly; small ones occasionally do not respond at all; non-EU operators with no EU representative are the hardest to reach. Enforcement has been significant — fines on Meta, Google, Amazon, LinkedIn, TikTok, Clearview AI, and many others, often in the hundreds of millions of euros. The system is far from perfect but the rights are real and enforceable.

People also ask

What is the 'right to be forgotten'? +

Article 17 of the GDPR. You can ask a company to delete the personal data it holds about you when (a) you withdraw your consent and there is no other legal basis, (b) the data is no longer needed for the purpose it was collected, (c) you object and they have no overriding legitimate ground, or (d) the data was processed unlawfully. The company must comply within a month (extendable by two more in complex cases) and must tell other companies they shared it with. Exceptions exist for legal obligations, public-interest archives, journalism, freedom of expression.

What is a 'subject access request'? +

Article 15 of the GDPR. You can ask any company that holds data about you to send you a copy of all of it, plus the categories of data, the purposes, who they share it with, how long they keep it, and the source if they did not get it from you. They have to provide it free of charge within a month. Many people use this to see what their bank, their ex-employer, a dating app, or a social network actually has on file — the answer is usually surprising. There is a template at the CNIL website (and ICO for the UK).

How do I make a GDPR complaint? +

Two steps. First, write to the company's Data Protection Officer (DPO) — every company processing significant personal data must have one, and the contact is in their privacy policy. State which right you are exercising (access, deletion, correction, objection, portability) and what you want. They have one month. If they refuse, ignore you, or you are not satisfied, you complain to your national regulator: in France, the CNIL ([cnil.fr](https://www.cnil.fr/en/plaintes)); in the UK, the ICO; in Germany, your federal-state authority; the European Data Protection Board lists all of them. The complaint is free, in your language, and can be filed online.

Can I get my data 'ported' from one service to another? +

Yes — Article 20, right to portability. You can ask any service for a machine-readable copy of the data you provided to them, and have it sent directly to another service if both technically support it. The classic use case is moving your contacts, messages, or photos from one provider to another. Practical limitations: it only covers data *you* provided (not derived data or inferences), and the receiving service must accept the import. Works well for some categories (calendars, contacts), patchier for others (social-network history).

What if a company outside the EU has my data? +

GDPR follows the data, not the company. If a service offers products to EU residents or monitors them, it falls under GDPR even if headquartered in the US, China, India or elsewhere. That is why major US services have EU-specific privacy controls. If a non-EU service refuses to respond to a GDPR request, you can still complain to the CNIL / your national regulator, who can act through the EU's One-Stop-Shop mechanism and impose fines on EU-facing operations or representatives.

Also explained

What is a data breach, and what do I do if my information is in one?

A data breach is when an organisation that holds your personal information loses control of it — your email, password, phone number, address, sometimes your credit-card or ID details end up in a leaked file that attackers download and reuse; the practical response is to change the password on that account, change it anywhere else you reused it, and turn on two-factor authentication.

What are cookies, and should I 'accept all' or 'reject all'?

Cookies are small files a website asks your browser to remember, used both for harmless things (staying logged in, keeping your cart, remembering your language) and for tracking you across sites for advertising — the legal 'accept all / reject all' banners in the EU and UK only control the tracking ones, so 'reject all' is almost always the right click.

What does incognito (private) browsing actually hide?

Incognito mode (also called Private Browsing or InPrivate) tells your browser not to save your history, cookies or form entries on this device — that is all; your employer, your school, your internet provider, the websites you visit and any advertising network on the page can still see exactly what you do.
← Back to everyday cybersecurity