10 tips on how to exercise the rights guaranteed by the GDPR – based on experience from the first 6 

Based on the experience from the first 6 months of the application of the GDPR, the Personal Data Protection Office has prepared 10 tips on how to exercise the rights guaranteed by the Regulation.

You have the right to know what will happen with your data

You should know who, on what ground and why is processing your personal data. The company or institution that has obtained your data should inform you about it. It is also obliged to indicate your GDPR rights. You have the right, among others to: access your data, rectification, erasure, limitation of processing, portability, objection or the right to be informed about automated decision making, including profiling. In performing the information obligation, the controller must indicate how long it will store your data and provide the contact details of the Data Protection Officer (DPO), if the DPO has been designated.

You have the right to withdraw your consent at any time

If the informed and free consent expressed by you is the ground for the processing of your data, you have the right to withdraw it at any time and this cannot entail any negative consequences for you (e.g. increasing the service fee above its standard amount). Remember that withdrawal of consent should be as easy as giving it.

You should be informed in a way that is understandable to you

All information provided to you as regards the processing of your data should be formulated in a clear and plain language that is understandable to you. This also applies to information related to the use of Internet services or mobile applications. If you do not understand it or do not understand it enough, ask the controller for additional explanations.

You have the right to be forgotten, but not always

Although the GDPR has granted you the right to be forgotten (erasure of data), please note that it is not absolute. You can request the exercise of this right, e.g. in case where the data have become unnecessary for the intended purposes, the data have been processed unlawfully or you have withdrawn your consent and there is no other legal ground for their use.

Remember that in not every situation you have the right to be forgotten. This happens when a given entity (e.g. a school, a commune or a clinic) must use your data to fulfil the legal obligation which is imposed on the entity.

You have the right to information about data breach

Data leakage, data loss or data disclosure to unauthorised persons – it happens. And this poses a serious threat to you, so do not be surprised that the controller informs you about it - this is the controller’s obligation. Follow its instructions to minimise the threat. Sometimes, e.g. changing the password in the Internet system or putting a hold on the documents will allow you to protect your data and avoid, e.g. the identity theft and the related consequences, such as e.g. incurring loans on your behalf.


In case of doubts, contact the controller or Data Protection Officer who is designated by the controller. They should help you in this situation.

If you object to the processing of your data - marketing cannot be carried out

If your data is used for marketing purposes, i.e. to present you with offers of goods or services, you can object to this at any time. If you do this, your data may no longer be used for such purposes.

Protect children from unfair practices

If you are a parent or a legal guardian of a person under the age of 16, remember that when she or he uses the so-called information society services (provided electronically), e.g. social networks, applications or games, you decide on giving consent to the processing of his/her personal data. This is important, because children are often less aware of the risks and consequences of processing of their personal data. The GDPR indicates that special protection should be provided to them when their data is used for marketing purposes or for the creation of personal profiles. Pay attention to whether the messages addressed to them by the controller are formulated in a language that they can understand.

First request the controller to exercise your rights

If you think that someone is mishandling your data, contact him or her (or the appointed DPO) first and ask for explanations or fulfilment of your request, e.g. rectification of data, recording of objection, erasure of data

You can claim damages before a court

Remember! If the entity which is in possession of your data uses it contrary to the GDPR rules and you have suffered material or non-material damage as a result, you can claim damages from this entity by initiating the proceedings before a court. You have the right to do so regardless of the fact whether you intend to lodge a complaint with the President of Personal Data Protection Office or not.

You have the right to lodge a complaint with the President of the Personal Data Protection Office

Irrespective of the rights indicated above, you may also lodge a complaint against the controller with the President of the Personal Data Protection Office. Remember, in order for it to be effective, indicate: your name and surname, address of residence. Provide also the full name/name and surname and address of the seat/residence  of the controller against whom the complaint is lodged and describe the violation in detail. Specify what action you expect from the President of the Personal Data Protection Office. And remember to sign your complaint!

Detailed information on how to lodge a complaint is available on the Office's website www.uodo.gov.pl in the "Complaints" section.

2022-03-17 Metadane artykułu