GDPR User Rights Explained: How Data Subjects Can Exercise Control Over Their Personal Data

May 25, 2019 marked the first anniversary of the General Data Protection Regulation (GDPR) coming into force — an EU law designed to give internet users meaningful control over how their data is collected, processed, and shared. One year in, it became clear that the regulation's ambitions and its practical reality were still some distance apart.

This article explains what the GDPR actually protects users from, what rights it grants, and how those rights can be exercised in practice.

Who Is Actually Processing Your Data?

When a user visits a website, the instinctive assumption is that only the site operator sees their data. In reality, almost every website integrates multiple third-party AdTech platforms that process significant amounts of personal data — often without the user's awareness. Companies like Quantcast operate largely in the background, yet they build profiles on users across vast swaths of the web.

Pretty much every publisher shares visitor data with a range of third-party companies. Users who click "agree" on a consent notice without reading it carefully are frequently handing their data to companies they've never encountered.

The stakes are not trivial. User data and post-GDPR consents have become the primary currency of online marketing. Advertising companies and data brokers collect, analyze, and sell information on internet users — routinely without those users' knowledge.

Back in 2017, Acxiom, an AdTech company specializing in identity resolution, claimed to hold data on 700 million people, with data products containing over 5,000 data elements drawn from hundreds of sources. The GDPR was intended to constrain exactly this kind of unchecked data aggregation.

Has the GDPR Actually Improved User Privacy?

Despite the heightened awareness that followed the GDPR's introduction in May 2018, user browsing habits have not changed dramatically. Several structural factors explain why.

Misleading consent-box design. Providers of consent-management platforms — or the companies deploying them — frequently use deceptive or intentionally unintuitive design in their consent interfaces. Declining tracking is typically made more tedious and time-consuming than simply accepting it. Some implementations use "assumed consent," where any action short of an explicit refusal — including closing the consent box without adjusting settings — is interpreted as agreement to all data processing. As a result, most users instinctively press the largest button to reach the content they came for, inadvertently consenting to most or all processing purposes.

The outcome: AdTech companies continued to report consent rates as high as 90% on websites using consent-management frameworks — a figure that looks considerably less impressive once the design dynamics above are taken into account.

Quantcast consent box. An example of a design that encourages giving data-processing consents.

The privacy paradox. Originally described in 1998, this phenomenon refers to internet users declaring strong concern about privacy while behaving in ways that contradict those stated values. Users may refuse to share their home address with a platform but readily enable location tracking. They may express dislike for behavioural advertising using cookies while voluntarily handing personally identifiable information (PII) to companies like Facebook and Google, where it is then used for demographic targeting.

Data leaks from publishers. Some publishers are known to continue firing third-party tags even when users have not consented to data processing. Consent must be collected, stored, and passed along to AdTech partners — but in practice, user data can still be leaked to various platforms even when consent was explicitly withheld.

What the GDPR Is Actually For

Contrary to a common misconception, the GDPR is not designed to end advertising. Its purpose is to ensure that people can make informed, conscious decisions about whether and how their data is shared with AdTech companies — and about what those companies can do with it once they have it.

Unrestricted data sharing creates conditions in which users can be profiled and targeted in granular ways that exploit their social and economic circumstances — people going through divorce, dealing with illness, or struggling with addiction, for example. The GDPR is intended to put a stop to such practices.

In practical terms, the GDPR restricts:

• Profiling using personal data without the individual's explicit consent
• Using that data in automated decision-making
• Unsafe storage and transfer of personally identifiable information

The Legitimate Interest Loophole

Legitimate interest is arguably the GDPR's most contested clause. It is one of six lawful grounds for processing personal data that does not require explicit user consent.

The intended application of legitimate interest is narrow: it applies in situations where data collection is implied and expected — for instance, where a user provides a home address for an online order, and the retailer must share that address with a courier to fulfil the delivery.

In practice, however, legitimate interest has become a common loophole. Some AdTech companies invoke it to justify behavioural advertising on the basis that targeted advertising is their business model and the means by which they fund free content.

This interpretation is not supported by the regulation. The GDPR specifies that legitimate interest cannot override the rights of the data subject. More directly, the Article 29 Working Party has explicitly stated that behavioural advertising and data brokering do not qualify as legitimate interest.

Legitimate interest does, however, apply in specific, narrower contexts: direct marketing where no third parties access the data, website personalization for improved user experience, web analytics, security measures, fraud detection, and reporting of criminal activity (for example, a platform sharing data with law enforcement as part of a criminal investigation).

What Rights Do Data Subjects Have Under the GDPR?

Under Article 15 of the GDPR — the "Right of access by the data subject" — individuals have the right to obtain confirmation from any data controller as to whether their personal data is being processed. If it is, they are entitled to know:

• The purposes of the processing
• The categories of personal data being processed
• The recipients or categories of recipients to whom the data has been or will be disclosed, including any in third countries or international organizations
• Where possible, the envisaged storage period, or the criteria used to determine it
• The existence of the right to request rectification, erasure, or restriction of processing, or to object to processing
• The right to lodge a complaint with a supervisory authority
• Where data was not collected directly from the individual, any available information about its source
• The existence of automated decision-making, including profiling, as referenced in Article 22(1) and (4), along with meaningful information about the logic involved and the likely consequences for the individual

Every company processing personal data is required to have mechanisms in place to handle these requests efficiently.

The Core Data Rights

Right to Access

Any individual has the right to know what data a company holds about them, the purpose for which it is stored, and how it was obtained. Where scoring or profiling is used, companies must disclose the individual's score and explain how it is calculated.

Right to Rectification

If a company is storing incorrect information about an individual, it must correct that information immediately upon receiving notice from the data subject.

Right to Erasure (Right to Be Forgotten)

Once data is no longer necessary for the purpose for which it was collected, the individual can request its deletion. Where that data has been passed to third parties, those parties must also be notified of the deletion request.

Right to Object

Even after giving consent, individuals can revoke it at any time. Companies are prohibited from making the revocation process more burdensome than the original consent process.

Right to Data Portability

Individuals have the right to receive their personal data from a company in a common, machine-readable format so they can transfer it to another service provider.

How to Exercise GDPR Data Rights

Companies have one month from receipt of a data request to respond. In specific circumstances — where requests are complex or numerous — this period can be extended by a further two months, for a maximum of 90 days.

There are several practical ways to file a request.

Using a dedicated form on the data controller's website. This is the most straightforward route. Not every website provides one, but some companies — McDonald's being a well-known example — have built dedicated GDPR rights centres that allow users to submit any type of data request:

Emailing the data controller directly. When no GDPR form exists, an email to the address listed in the company's privacy policy is the standard approach. The company must respond within one month of receiving the request. The following template covers the requirements of Article 15:

Dear Sir or Madam,

I am writing to obtain the following information that I am entitled to receive pursuant to Article 15 of the General Data Protection Regulation (GDPR):

Please confirm as to whether or not my personal data is being processed, and, where that is the case, please provide access to the personal data, and the following information:

The purposes of the processing;

The categories of personal data concerned;

The recipients or categories of recipient to whom the personal data have been or will be disclosed;

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

Where the personal data are not collected from me, any available information as to their source;

The existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

If you need any more information from me, please let me know as soon as possible. Please note that I have the right to receive this information in a standardized format within 30 days of your receipt of this request.

If you do not normally deal with these requests, please pass along this letter to your Data Protection Officer. I can be contacted by email, phone, and mail. My preferred method of contact is email.

Regards,

[ MY SIGNATURE ] [ MY NAME ] [ MY ADDRESS ] [ MY PHONE NUMBER ] [ MY EMAIL ADDRESS ]

Using a dedicated request tool. Websites such as https://www.datarequests.org/ and https://mydatarequest.com/ simplify the process by allowing users to send multiple requests from a single interface.

How Major Platforms Handle Data Requests

The largest consumer platforms — Facebook, Google, Twitter, and LinkedIn — have generally implemented automated self-service mechanisms that allow users to download their own data directly, without waiting for a manual response. This approach is practical at scale: companies with tens or hundreds of millions of users cannot realistically handle data requests manually.

Other companies provide dedicated request forms. In these cases, the response is not immediate; the company has the standard 30-day window to reply, with a possible 90-day extension for complex or high-volume circumstances.

What Facebook Holds on Users

Facebook tracks everything a user does while logged into the platform. This includes interactions, places visited, likes, and messages sent via Facebook Messenger. Beyond in-app activity, Facebook also collects:

• Time spent online
• Current location data (used to personalize restaurant recommendations and ad targeting)
• Check-ins
• Pages, accounts, and hashtags the user has connected with, and their interactions with each
• Contacts, if the user has uploaded their phone book or call history
• Purchase information from transactions made on or through Facebook, plus metadata from uploaded photos
• Tagged appearances in other users' posts and photos, which provides Facebook with biometric information about the user's appearance

Facebook offers users an automated form to amend, transfer, or delete their data, with immediate download links accessible directly from the platform.

The Login with Facebook feature — available across the web, iOS, Android, and some smart TVs — has historically functioned as a conduit for third-party apps to access Facebook profile data without the user directly providing it. Facebook has since introduced stricter data-sharing rules and a review process for apps seeking access beyond basic identity information.

McDonald's

McDonald's collects primarily information that users provide voluntarily — through job applications, newsletter sign-ups, or contact forms. The company has built a dedicated GDPR rights centre through which it processes access, object, portability, rectification, and deletion requests. Submitting a request triggers an immediate confirmation receipt:

Uber, Uber Eats, and Jump

Uber provides a straightforward online wizard for GDPR-related requests, alongside a comprehensive privacy guide explaining how and why user data is collected. Data downloads are prepared the same day and delivered in CSV files. The archive covers data collected across Uber, Uber Eats, and Jump.

Uber's data archive typically includes:

• Name, email, mobile number, rating, and sign-up date
• Referral codes
• Payment method information (creation date, issuing bank, payment type)
• Metadata from support conversations
• Messages exchanged between riders/drivers or customers/delivery partners
• Trip data: request times, start and end locations, distance, price, and currency
• Jump bike trip data: start/end times, locations, distance, and price
• Uber Eats order history: restaurant names, items ordered, prices, order times, and customizations

Twitter

User data can be updated or deleted at any time via Twitter account settings. A copy of all collected data can be requested and downloaded directly from the platform within minutes, delivered as a zip archive of JSON files. Twitter's data archive includes:

• Profile activity (Tweets, DMs, Moments, and attached media)
• Follower and address book data
• Lists created by the user and subscriptions
• Inferred interests and demographic information
• Records of ads seen or engaged with

YouTube and Google Maps

For Google products, data can be accessed and amended directly through account settings. The Google Takeout tool provides a unified, automated mechanism to download data across Google's services — covering the right to data portability.

YouTube data available through Google Takeout includes:

• Uploaded videos and video metadata
• Watch history
• Subscriptions and playlists
• Comments, live chats, community posts, and stories
• Community contributions (e.g., translations and transcriptions contributed to other channels)

Google Maps data is available in JSON, GeoJSON, and CSV formats and includes:

• Map preferences and personal places
• Food, drink, and activity preferences
• Commute routes
• Labelled places and starred locations
• Location History (where enabled)
• Place reviews

Slack

Individual users can update their basic profile information at any time through account settings. However, full GDPR removal and portability requests in Slack typically require action by a workspace administrator. The relevant tools are accessible at the bottom of the Team Settings page (subject to whether compliance exports have been enabled).

Slack provides administrators with:

• Import and export tools for accessing and exporting Customer Data
• A profile deletion tool for responding to individual deletion requests
• A workspace settings centre for reviewing plan and settings

Exported content is delivered in CSV and text formats. What is available may depend on the workspace's plan and data retention configuration. Archives include message history, private channels, and direct messages.

The Broader Trajectory

The EU moved first on data protection, and other jurisdictions are following. Brazil, India, and the United States have all moved toward similar frameworks.

European data protection authorities have begun using their enforcement powers meaningfully. The UK's Information Commissioner's Office imposed a fine of £99,200,396 ($123,705,870) on Marriott for GDPR non-compliance. Beyond high-profile cases, the GDPR Enforcement Tracker — a regularly updated record of all fines issued under the regulation — shows that EU data protection authorities had already acted in over 66 separate cases as of the article's original publication.

The practical takeaway for users is clear: the tools to exercise GDPR rights exist and, at the major platforms, are reasonably accessible. The challenge is awareness. Most people do not know they can request, correct, or delete their data — and the companies that benefit from that inertia have little incentive to advertise otherwise. Understanding these rights, and knowing how to use the request mechanisms described above, is the first step toward meaningful data self-determination.