\n Do you understand all the details of the GDPR? <\/h2>\n \n To better understand the GDPR, its key details, and how it affects your company, we\u2019ve compiled a guide that covers everything you need to know.<\/p>\n <\/div>\n <\/div>\n
\n \n \n \nLearn more about the GDPR<\/span><\/a>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n<\/div>\n\n\n\nWho do data subject rights apply to?<\/h2>\n\n\n\n![\"Who](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/10\/cb_blog_body_770x600_gdpr_data_subj_a.jpg\")
<\/figure>\n\n\n\nGDPR data subject rights apply to any individual residing in the EU\/EEA whose personal data is being processed by a data controller or processor. However, the regulation's scope is extraterritorial, meaning that it extends beyond the borders of the EU and applies to non-EU-based organizations that process the personal data of individuals within the EU.<\/p>\n\n\n\n
Individuals that are protected by GDPR data subject rights include:<\/p>\n\n\n\n
\n- EU residents<\/strong>: Any individual living in an EU member state whose data is being processed by an organization.<\/li>\n\n\n\n
- Non-EU citizens within the EU<\/strong>: Even if someone is not an EU citizen, if they are residing in the EU and their data is processed, they are protected by the GDPR.<\/li>\n\n\n\n
- Individuals outside the EU whose data is processed by EU-based organizations<\/strong>: If an EU organization processes the personal data of non-EU individuals, GDPR still applies.<\/li>\n\n\n\n
- Non-EU organizations processing EU citizens' data<\/strong>: For example, if a US-based company offers services to EU citizens, it must comply with the GDPR when processing its data.<\/li>\n<\/ul>\n\n\n\n
Ultimately, GDPR data subject rights apply to a wide range of individuals and compliance responsibilities lie with many different types of organizations.<\/p>\n\n\n\n
What does \u201csubject data\u201d refer to?<\/h2>\n\n\n\n
Under the GDPR, \"subject data\" refers to any information that can directly or indirectly identify an individual. This data could be anything that can be used to distinguish a person, either on its own or in combination with other data.<\/p>\n\n\n\n
Types of data that fall under the category of \"subject data\" include:<\/p>\n\n\n\n
\n- Personal Identifiable Information (PII)<\/strong>: Personally identifiable information<\/a> includes data like names, identification numbers, email addresses, phone numbers, and other personal identifiers.<\/li>\n\n\n\n
- Location data<\/strong>: Information that can track a person\u2019s geographical location, such as GPS data, IP addresses, and mobile phone data.<\/li>\n\n\n\n
- Online identifiers<\/strong>: Tracking cookies<\/a>, device IDs, and similar tracking mechanisms used to monitor online behavior.<\/li>\n\n\n\n
- Biometric data<\/strong>: Fingerprints, facial recognition data, or other biological measurements that can identify a person.<\/li>\n\n\n\n
- Health data<\/strong>: Information about an individual's physical or mental health, healthcare, or diagnoses.<\/li>\n\n\n\n
- Financial data<\/strong>: Bank account numbers, credit card information, or any other financial identifiers.<\/li>\n<\/ul>\n\n\n\n
The key factor is that subject data relates to a living individual who can be identified, either directly or indirectly, using these details. Any organization that processes this type of data must adhere to the GDPR.<\/p>\n\n\n\n
What are the data subject rights under the GDPR?<\/h2>\n\n\n\n![\"What](\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2024\/10\/cb_blog_body_770x650_gdpr_data_subj_b.jpg\")
<\/figure>\n\n\n\nThe GDPR grants individuals eight core data subject rights. These rights are designed to provide transparency, control, and security over personal data processing.<\/p>\n\n\n\n
1. The right to be informed<\/h3>\n\n\n\n
Per Art. 13 GDPR<\/a>, individuals have the right to be informed about how their personal data is collected, used, and shared. This means companies must provide clear, concise, and transparent information about their data processing activities.<\/p>\n\n\n\nThis information is typically provided through privacy notices<\/a> or privacy policies<\/a>, which must include details such as:<\/p>\n\n\n\n\n- What personal data is being collected<\/li>\n\n\n\n
- The purposes for which the data is processed<\/li>\n\n\n\n
- The legal basis for processing<\/a><\/li>\n\n\n\n
- Who the data will be shared with<\/li>\n\n\n\n
- How long the data will be retained<\/li>\n\n\n\n
- Individuals\u2019 rights and how to exercise them<\/li>\n<\/ul>\n\n\n\n
Organizations must ensure that this information is easy to understand and accessible at the time of data collection.<\/p>\n\n\n\n
2. The right of access<\/h3>\n\n\n\n
Under Art. 15 GDPR<\/a>, individuals have the right to access their personal data held by an organization. This right, also known as a Subject Access Request (SAR) or Data Subject Access Request (DSAR), enables individuals to request a copy of their data and information on how it is being processed.<\/p>\n\n\n\nWhen a person submits a request, a company must provide:<\/p>\n\n\n\n
\n- Confirmation that their data is being processed<\/li>\n\n\n\n
- A copy of the personal data<\/li>\n\n\n\n
- Additional information, such as the purpose of processing, categories of personal data collected and processed, and details of any data sharing<\/li>\n<\/ul>\n\n\n\n
Companies must respond to access requests within one month, although extensions may apply, but this depends on the scenario at hand and comes with communication requirements to the data subject.<\/p>\n\n\n\n
3. The right to rectification<\/h3>\n\n\n\n
If an individual discovers that their personal data is inaccurate or incomplete, they have the right under Art. 16 GDPR<\/a> to request its correction. A company is then required to rectify the information promptly, ensuring that any inaccurate or incomplete data is corrected or completed.<\/p>\n\n\n\nThis right is crucial for maintaining data accuracy and ensuring that organizations only process up to date information.<\/p>\n\n\n\n
4. The right to erasure (or the right to be forgotten)<\/h3>\n\n\n\n
The right to erasure, also known as the \"right to be forgotten\" under Art. 17 GDPR<\/a>, enables individuals to request the deletion of their personal data in certain circumstances. These circumstances include:<\/p>\n\n\n\n\n- The data is no longer necessary for the purpose for which it was collected<\/li>\n\n\n\n
- The individual withdraws their consent, and there is no other valid legal basis for processing<\/li>\n\n\n\n
- The individual objects to the processing, and there are no overriding legitimate legal bases<\/li>\n\n\n\n
- The data has been unlawfully processed<\/li>\n\n\n\n
- The data must be erased to comply with a legal obligation<\/li>\n<\/ul>\n\n\n\n
It\u2019s important to note that the right to erasure is not absolute. In some cases, companies may have legal grounds or regulatory requirements to retain the data, such as for compliance with legal obligations or the defense of legal claims.<\/p>\n\n\n\n
5. The right to restrict processing<\/h3>\n\n\n\n
The right to restrict processing under Art. 18 GDPR<\/a> enables individuals to limit the way their personal data is processed. This means that an organization may store the data but cannot use it for any further processing unless certain conditions are met.<\/p>\n\n\n\nIndividuals can request a restriction of processing if:<\/p>\n\n\n\n
\n- They contest the accuracy of the data (until the organization verifies its accuracy)<\/li>\n\n\n\n
- The processing is unlawful, but the individual does not want the data to be erased<\/li>\n\n\n\n
- The organization no longer needs the data, but the individual requires it to establish, exercise, or defend a legal claim<\/li>\n\n\n\n
- The individual has objected to processing (pending the organization\u2019s verification of whether legitimate grounds override the individual\u2019s rights)<\/li>\n<\/ul>\n\n\n\n
6. The right to data portability<\/h3>\n\n\n\n
Data portability enables individuals to request the transfer of their personal data from one organization to another under Art. 20 GDPR<\/a>. This right is designed to enhance user control over personal data and facilitate the free movement of information between service providers.<\/p>\n\n\n\nThe right to data portability applies when:<\/p>\n\n\n\n
\n- The data is processed based on consent or a contract<\/li>\n\n\n\n
- The processing is carried out by automated means<\/li>\n<\/ul>\n\n\n\n
Upon receiving a request to port data, organizations must provide the data in a structured, commonly used, and machine-readable format.<\/p>\n\n\n\n
7. The right to object<\/h3>\n\n\n\n
People have the right to object to the processing of their personal data in certain circumstances under Art. 21 GDPR<\/a>. This right applies when processing is based on legitimate interest, direct marketing, or research purposes.<\/p>\n\n\n\nIf an individual objects to direct marketing, the organization must stop processing the data for that purpose immediately. For other objections, the organization may continue processing if it can demonstrate compelling and legitimate grounds that override the individual's rights.<\/p>\n\n\n\n
8. Rights related to automated decision-making and profiling<\/h3>\n\n\n\n
To better understand the GDPR, its key details, and how it affects your company, we\u2019ve compiled a guide that covers everything you need to know.<\/p>\n <\/div>\n <\/div>\n
Who do data subject rights apply to?<\/h2>\n\n\n\n<\/figure>\n\n\n\nGDPR data subject rights apply to any individual residing in the EU\/EEA whose personal data is being processed by a data controller or processor. However, the regulation's scope is extraterritorial, meaning that it extends beyond the borders of the EU and applies to non-EU-based organizations that process the personal data of individuals within the EU.<\/p>\n\n\n\n
Individuals that are protected by GDPR data subject rights include:<\/p>\n\n\n\n
\n- EU residents<\/strong>: Any individual living in an EU member state whose data is being processed by an organization.<\/li>\n\n\n\n
- Non-EU citizens within the EU<\/strong>: Even if someone is not an EU citizen, if they are residing in the EU and their data is processed, they are protected by the GDPR.<\/li>\n\n\n\n
- Individuals outside the EU whose data is processed by EU-based organizations<\/strong>: If an EU organization processes the personal data of non-EU individuals, GDPR still applies.<\/li>\n\n\n\n
- Non-EU organizations processing EU citizens' data<\/strong>: For example, if a US-based company offers services to EU citizens, it must comply with the GDPR when processing its data.<\/li>\n<\/ul>\n\n\n\n
Ultimately, GDPR data subject rights apply to a wide range of individuals and compliance responsibilities lie with many different types of organizations.<\/p>\n\n\n\n
What does \u201csubject data\u201d refer to?<\/h2>\n\n\n\n
Under the GDPR, \"subject data\" refers to any information that can directly or indirectly identify an individual. This data could be anything that can be used to distinguish a person, either on its own or in combination with other data.<\/p>\n\n\n\n
Types of data that fall under the category of \"subject data\" include:<\/p>\n\n\n\n
\n- Personal Identifiable Information (PII)<\/strong>: Personally identifiable information<\/a> includes data like names, identification numbers, email addresses, phone numbers, and other personal identifiers.<\/li>\n\n\n\n
- Location data<\/strong>: Information that can track a person\u2019s geographical location, such as GPS data, IP addresses, and mobile phone data.<\/li>\n\n\n\n
- Online identifiers<\/strong>: Tracking cookies<\/a>, device IDs, and similar tracking mechanisms used to monitor online behavior.<\/li>\n\n\n\n
- Biometric data<\/strong>: Fingerprints, facial recognition data, or other biological measurements that can identify a person.<\/li>\n\n\n\n
- Health data<\/strong>: Information about an individual's physical or mental health, healthcare, or diagnoses.<\/li>\n\n\n\n
- Financial data<\/strong>: Bank account numbers, credit card information, or any other financial identifiers.<\/li>\n<\/ul>\n\n\n\n
The key factor is that subject data relates to a living individual who can be identified, either directly or indirectly, using these details. Any organization that processes this type of data must adhere to the GDPR.<\/p>\n\n\n\n
What are the data subject rights under the GDPR?<\/h2>\n\n\n\n<\/figure>\n\n\n\nThe GDPR grants individuals eight core data subject rights. These rights are designed to provide transparency, control, and security over personal data processing.<\/p>\n\n\n\n
1. The right to be informed<\/h3>\n\n\n\n
Per Art. 13 GDPR<\/a>, individuals have the right to be informed about how their personal data is collected, used, and shared. This means companies must provide clear, concise, and transparent information about their data processing activities.<\/p>\n\n\n\nThis information is typically provided through privacy notices<\/a> or privacy policies<\/a>, which must include details such as:<\/p>\n\n\n\n\n- What personal data is being collected<\/li>\n\n\n\n
- The purposes for which the data is processed<\/li>\n\n\n\n
- The legal basis for processing<\/a><\/li>\n\n\n\n
- Who the data will be shared with<\/li>\n\n\n\n
- How long the data will be retained<\/li>\n\n\n\n
- Individuals\u2019 rights and how to exercise them<\/li>\n<\/ul>\n\n\n\n
Organizations must ensure that this information is easy to understand and accessible at the time of data collection.<\/p>\n\n\n\n
2. The right of access<\/h3>\n\n\n\n
Under Art. 15 GDPR<\/a>, individuals have the right to access their personal data held by an organization. This right, also known as a Subject Access Request (SAR) or Data Subject Access Request (DSAR), enables individuals to request a copy of their data and information on how it is being processed.<\/p>\n\n\n\nWhen a person submits a request, a company must provide:<\/p>\n\n\n\n
\n- Confirmation that their data is being processed<\/li>\n\n\n\n
- A copy of the personal data<\/li>\n\n\n\n
- Additional information, such as the purpose of processing, categories of personal data collected and processed, and details of any data sharing<\/li>\n<\/ul>\n\n\n\n
Companies must respond to access requests within one month, although extensions may apply, but this depends on the scenario at hand and comes with communication requirements to the data subject.<\/p>\n\n\n\n
3. The right to rectification<\/h3>\n\n\n\n
If an individual discovers that their personal data is inaccurate or incomplete, they have the right under Art. 16 GDPR<\/a> to request its correction. A company is then required to rectify the information promptly, ensuring that any inaccurate or incomplete data is corrected or completed.<\/p>\n\n\n\nThis right is crucial for maintaining data accuracy and ensuring that organizations only process up to date information.<\/p>\n\n\n\n
4. The right to erasure (or the right to be forgotten)<\/h3>\n\n\n\n
The right to erasure, also known as the \"right to be forgotten\" under Art. 17 GDPR<\/a>, enables individuals to request the deletion of their personal data in certain circumstances. These circumstances include:<\/p>\n\n\n\n\n- The data is no longer necessary for the purpose for which it was collected<\/li>\n\n\n\n
- The individual withdraws their consent, and there is no other valid legal basis for processing<\/li>\n\n\n\n
- The individual objects to the processing, and there are no overriding legitimate legal bases<\/li>\n\n\n\n
- The data has been unlawfully processed<\/li>\n\n\n\n
- The data must be erased to comply with a legal obligation<\/li>\n<\/ul>\n\n\n\n
It\u2019s important to note that the right to erasure is not absolute. In some cases, companies may have legal grounds or regulatory requirements to retain the data, such as for compliance with legal obligations or the defense of legal claims.<\/p>\n\n\n\n
5. The right to restrict processing<\/h3>\n\n\n\n
The right to restrict processing under Art. 18 GDPR<\/a> enables individuals to limit the way their personal data is processed. This means that an organization may store the data but cannot use it for any further processing unless certain conditions are met.<\/p>\n\n\n\nIndividuals can request a restriction of processing if:<\/p>\n\n\n\n
\n- They contest the accuracy of the data (until the organization verifies its accuracy)<\/li>\n\n\n\n
- The processing is unlawful, but the individual does not want the data to be erased<\/li>\n\n\n\n
- The organization no longer needs the data, but the individual requires it to establish, exercise, or defend a legal claim<\/li>\n\n\n\n
- The individual has objected to processing (pending the organization\u2019s verification of whether legitimate grounds override the individual\u2019s rights)<\/li>\n<\/ul>\n\n\n\n
6. The right to data portability<\/h3>\n\n\n\n
Data portability enables individuals to request the transfer of their personal data from one organization to another under Art. 20 GDPR<\/a>. This right is designed to enhance user control over personal data and facilitate the free movement of information between service providers.<\/p>\n\n\n\nThe right to data portability applies when:<\/p>\n\n\n\n
\n- The data is processed based on consent or a contract<\/li>\n\n\n\n
- The processing is carried out by automated means<\/li>\n<\/ul>\n\n\n\n
Upon receiving a request to port data, organizations must provide the data in a structured, commonly used, and machine-readable format.<\/p>\n\n\n\n
7. The right to object<\/h3>\n\n\n\n
People have the right to object to the processing of their personal data in certain circumstances under Art. 21 GDPR<\/a>. This right applies when processing is based on legitimate interest, direct marketing, or research purposes.<\/p>\n\n\n\nIf an individual objects to direct marketing, the organization must stop processing the data for that purpose immediately. For other objections, the organization may continue processing if it can demonstrate compelling and legitimate grounds that override the individual's rights.<\/p>\n\n\n\n
8. Rights related to automated decision-making and profiling<\/h3>\n\n\n\n
<\/figure>\n\n\n\nGDPR data subject rights apply to any individual residing in the EU\/EEA whose personal data is being processed by a data controller or processor. However, the regulation's scope is extraterritorial, meaning that it extends beyond the borders of the EU and applies to non-EU-based organizations that process the personal data of individuals within the EU.<\/p>\n\n\n\n
Individuals that are protected by GDPR data subject rights include:<\/p>\n\n\n\n
- \n
- EU residents<\/strong>: Any individual living in an EU member state whose data is being processed by an organization.<\/li>\n\n\n\n
- Non-EU citizens within the EU<\/strong>: Even if someone is not an EU citizen, if they are residing in the EU and their data is processed, they are protected by the GDPR.<\/li>\n\n\n\n
- Individuals outside the EU whose data is processed by EU-based organizations<\/strong>: If an EU organization processes the personal data of non-EU individuals, GDPR still applies.<\/li>\n\n\n\n
- Non-EU organizations processing EU citizens' data<\/strong>: For example, if a US-based company offers services to EU citizens, it must comply with the GDPR when processing its data.<\/li>\n<\/ul>\n\n\n\n
Ultimately, GDPR data subject rights apply to a wide range of individuals and compliance responsibilities lie with many different types of organizations.<\/p>\n\n\n\n
What does \u201csubject data\u201d refer to?<\/h2>\n\n\n\n
Under the GDPR, \"subject data\" refers to any information that can directly or indirectly identify an individual. This data could be anything that can be used to distinguish a person, either on its own or in combination with other data.<\/p>\n\n\n\n
Types of data that fall under the category of \"subject data\" include:<\/p>\n\n\n\n
- \n
- Personal Identifiable Information (PII)<\/strong>: Personally identifiable information<\/a> includes data like names, identification numbers, email addresses, phone numbers, and other personal identifiers.<\/li>\n\n\n\n
- Location data<\/strong>: Information that can track a person\u2019s geographical location, such as GPS data, IP addresses, and mobile phone data.<\/li>\n\n\n\n
- Online identifiers<\/strong>: Tracking cookies<\/a>, device IDs, and similar tracking mechanisms used to monitor online behavior.<\/li>\n\n\n\n
- Biometric data<\/strong>: Fingerprints, facial recognition data, or other biological measurements that can identify a person.<\/li>\n\n\n\n
- Health data<\/strong>: Information about an individual's physical or mental health, healthcare, or diagnoses.<\/li>\n\n\n\n
- Financial data<\/strong>: Bank account numbers, credit card information, or any other financial identifiers.<\/li>\n<\/ul>\n\n\n\n
The key factor is that subject data relates to a living individual who can be identified, either directly or indirectly, using these details. Any organization that processes this type of data must adhere to the GDPR.<\/p>\n\n\n\n
What are the data subject rights under the GDPR?<\/h2>\n\n\n\n
<\/figure>\n\n\n\nThe GDPR grants individuals eight core data subject rights. These rights are designed to provide transparency, control, and security over personal data processing.<\/p>\n\n\n\n
1. The right to be informed<\/h3>\n\n\n\n
Per Art. 13 GDPR<\/a>, individuals have the right to be informed about how their personal data is collected, used, and shared. This means companies must provide clear, concise, and transparent information about their data processing activities.<\/p>\n\n\n\n
This information is typically provided through privacy notices<\/a> or privacy policies<\/a>, which must include details such as:<\/p>\n\n\n\n
- \n
- What personal data is being collected<\/li>\n\n\n\n
- The purposes for which the data is processed<\/li>\n\n\n\n
- The legal basis for processing<\/a><\/li>\n\n\n\n
- Who the data will be shared with<\/li>\n\n\n\n
- How long the data will be retained<\/li>\n\n\n\n
- Individuals\u2019 rights and how to exercise them<\/li>\n<\/ul>\n\n\n\n
Organizations must ensure that this information is easy to understand and accessible at the time of data collection.<\/p>\n\n\n\n
2. The right of access<\/h3>\n\n\n\n
Under Art. 15 GDPR<\/a>, individuals have the right to access their personal data held by an organization. This right, also known as a Subject Access Request (SAR) or Data Subject Access Request (DSAR), enables individuals to request a copy of their data and information on how it is being processed.<\/p>\n\n\n\n
When a person submits a request, a company must provide:<\/p>\n\n\n\n
- \n
- Confirmation that their data is being processed<\/li>\n\n\n\n
- A copy of the personal data<\/li>\n\n\n\n
- Additional information, such as the purpose of processing, categories of personal data collected and processed, and details of any data sharing<\/li>\n<\/ul>\n\n\n\n
Companies must respond to access requests within one month, although extensions may apply, but this depends on the scenario at hand and comes with communication requirements to the data subject.<\/p>\n\n\n\n
3. The right to rectification<\/h3>\n\n\n\n
If an individual discovers that their personal data is inaccurate or incomplete, they have the right under Art. 16 GDPR<\/a> to request its correction. A company is then required to rectify the information promptly, ensuring that any inaccurate or incomplete data is corrected or completed.<\/p>\n\n\n\n
This right is crucial for maintaining data accuracy and ensuring that organizations only process up to date information.<\/p>\n\n\n\n
4. The right to erasure (or the right to be forgotten)<\/h3>\n\n\n\n
The right to erasure, also known as the \"right to be forgotten\" under Art. 17 GDPR<\/a>, enables individuals to request the deletion of their personal data in certain circumstances. These circumstances include:<\/p>\n\n\n\n
- \n
- The data is no longer necessary for the purpose for which it was collected<\/li>\n\n\n\n
- The individual withdraws their consent, and there is no other valid legal basis for processing<\/li>\n\n\n\n
- The individual objects to the processing, and there are no overriding legitimate legal bases<\/li>\n\n\n\n
- The data has been unlawfully processed<\/li>\n\n\n\n
- The data must be erased to comply with a legal obligation<\/li>\n<\/ul>\n\n\n\n
It\u2019s important to note that the right to erasure is not absolute. In some cases, companies may have legal grounds or regulatory requirements to retain the data, such as for compliance with legal obligations or the defense of legal claims.<\/p>\n\n\n\n
5. The right to restrict processing<\/h3>\n\n\n\n
The right to restrict processing under Art. 18 GDPR<\/a> enables individuals to limit the way their personal data is processed. This means that an organization may store the data but cannot use it for any further processing unless certain conditions are met.<\/p>\n\n\n\n
Individuals can request a restriction of processing if:<\/p>\n\n\n\n
- \n
- They contest the accuracy of the data (until the organization verifies its accuracy)<\/li>\n\n\n\n
- The processing is unlawful, but the individual does not want the data to be erased<\/li>\n\n\n\n
- The organization no longer needs the data, but the individual requires it to establish, exercise, or defend a legal claim<\/li>\n\n\n\n
- The individual has objected to processing (pending the organization\u2019s verification of whether legitimate grounds override the individual\u2019s rights)<\/li>\n<\/ul>\n\n\n\n
6. The right to data portability<\/h3>\n\n\n\n
Data portability enables individuals to request the transfer of their personal data from one organization to another under Art. 20 GDPR<\/a>. This right is designed to enhance user control over personal data and facilitate the free movement of information between service providers.<\/p>\n\n\n\n
The right to data portability applies when:<\/p>\n\n\n\n
- \n
- The data is processed based on consent or a contract<\/li>\n\n\n\n
- The processing is carried out by automated means<\/li>\n<\/ul>\n\n\n\n
Upon receiving a request to port data, organizations must provide the data in a structured, commonly used, and machine-readable format.<\/p>\n\n\n\n
7. The right to object<\/h3>\n\n\n\n
People have the right to object to the processing of their personal data in certain circumstances under Art. 21 GDPR<\/a>. This right applies when processing is based on legitimate interest, direct marketing, or research purposes.<\/p>\n\n\n\n
If an individual objects to direct marketing, the organization must stop processing the data for that purpose immediately. For other objections, the organization may continue processing if it can demonstrate compelling and legitimate grounds that override the individual's rights.<\/p>\n\n\n\n
8. Rights related to automated decision-making and profiling<\/h3>\n\n\n\n
- Location data<\/strong>: Information that can track a person\u2019s geographical location, such as GPS data, IP addresses, and mobile phone data.<\/li>\n\n\n\n
- Non-EU citizens within the EU<\/strong>: Even if someone is not an EU citizen, if they are residing in the EU and their data is processed, they are protected by the GDPR.<\/li>\n\n\n\n