Your GDPR Data Privacy Rights: Complete EU Guide 2026
Understand your GDPR rights under Regulation 2016/679. Right to erasure, data portability, and how to file a complaint with the Belgian DPA.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (Regulation (EU) 2016/679), commonly known as the GDPR, has been directly applicable across all EU Member States since 25 May 2018. It represents the most comprehensive data protection framework in the world, giving individuals unprecedented control over their personal data while imposing strict obligations on organizations that process such data.
What Is Personal Data?
Under Article 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person. This includes:
- Name, address, email, phone number
- IP addresses, cookies, device identifiers
- Location data, online behavioral profiles
- Health data, genetic data, biometric data (classified as special categories under Art. 9)
- Financial data, social security numbers
- Photographs and video recordings where a person is identifiable
Your Rights Under the GDPR
The GDPR grants you the following rights, enforceable against any organization processing your data:
1. Right of Access (Article 15)
You have the right to obtain from the data controller confirmation as to whether your personal data is being processed, and if so, access to that data along with information about the purposes of processing, the categories of data, the recipients, and the retention period. The controller must provide a copy of the data free of charge.
2. Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay. You also have the right to have incomplete personal data completed.
3. Right to Erasure / Right to Be Forgotten (Article 17)
You may request the deletion of your personal data when:
- The data is no longer necessary for its original purpose
- You withdraw consent and there is no other legal basis
- You object to processing and there are no overriding legitimate grounds
- The data was processed unlawfully
- Erasure is required to comply with a legal obligation
This right is not absolute — it does not apply when processing is necessary for exercising freedom of expression, compliance with legal obligations, public health, archiving in the public interest, or the establishment of legal claims.
4. Right to Restriction of Processing (Article 18)
You can request that the processing of your data be restricted (i.e., data is stored but not used) in specific circumstances, such as when you contest the accuracy of the data or when processing is unlawful but you oppose erasure.
5. Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This applies when processing is based on consent or contract and is carried out by automated means.
6. Right to Object (Article 21)
You may object to processing based on legitimate interests (Art. 6(1)(f)) or public interest (Art. 6(1)(e)). The controller must cease processing unless they demonstrate compelling legitimate grounds. For direct marketing, you have an absolute right to object at any time.
7. Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. You can request human intervention, express your point of view, and contest the decision.
How to Exercise Your Rights
To exercise any GDPR right:
- Identify the data controller: Check the privacy policy of the website or service for the data controller's identity and contact details of the Data Protection Officer (DPO)
- Submit a written request: Send your request by email or letter. Include your full name, the specific right you are exercising, and enough information to identify your data. You do NOT need to cite the specific GDPR article.
- Deadline: The controller must respond within one month (Art. 12(3)). This can be extended by two further months for complex requests, but you must be informed of the extension within the first month.
- Free of charge: The first copy and standard requests are free. The controller may charge a reasonable fee for manifestly unfounded or excessive requests.
Filing a Complaint with the Belgian DPA
If a data controller does not comply with your request or you believe your data protection rights have been violated, you can file a complaint with the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit):
- The Belgian DPA was established by the Law of 3 December 2017, replacing the former Privacy Commission
- You can submit a complaint online via www.dataprotectionauthority.be
- The complaint is free and can be submitted in French, Dutch, or German
- The DPA's Litigation Chamber can impose administrative fines of up to EUR 20 million or 4% of annual global turnover (Art. 83 GDPR)
- Under Article 77 GDPR, you may also file a complaint with the supervisory authority in any EU Member State where you reside, work, or where the alleged infringement occurred
Belgian-Specific GDPR Provisions
Belgium has supplemented the GDPR with national legislation:
- Law of 30 July 2018: Belgian implementation law for the GDPR, covering specific derogations (journalistic exemption, employment data, national identification numbers, etc.)
- Criminal provisions: Belgian law provides for criminal sanctions (fines and imprisonment) for certain GDPR violations, in addition to administrative fines by the DPA
- Employee data: CBA No. 81 (CCT n° 81) of 26 April 2002 regulates employee monitoring (email, internet use) and requires proportionality, purpose limitation, and transparency
DroitAI and Your Data Rights
DroitAI can help you draft a GDPR data access request, a right to erasure request, or a complaint to the Belgian DPA. Our AI assistant generates legally precise correspondence based on the applicable GDPR articles and Belgian implementing legislation. Simply describe what data you want to access, delete, or transfer, and DroitAI will produce the appropriate document.
Equipe DroitAI
L'equipe editoriale DroitAI est composee de juristes et d'experts en intelligence artificielle. Nos articles sont verifies et sources sur Legifrance et les textes officiels.
Related articles
Need personalized legal advice?
Ask our AI lawyer your question and get a sourced answer in seconds.