The new regulation strengthens existing rights, creates new ones and provides individuals with more control over their personal data through:
An expanded right to erasure (“right to be forgotten”)
Where an individual wishes that his or her personal data shall no longer be processed, and where there are no legitimate grounds for further processing, the data must be erased. For instance, this enables an individual to request the erasure of data collected or published via social media during his or her childhood.
Easier access for individuals to their personal data
Individuals will obtain more information about the way in which their personal data is being processed. This information also has to be provided in a clear and comprehensible way.
A right to data portability
It will become easier for individuals to transfer personal data between service providers, for instance from one social media platform to another.
More information for data subjects on what happens with their data once it’s shared
Individuals will need to be informed about applicable data protection policies in clear and simple terms. This information can be given through standardized icons.
The necessity to receive explicit consent
Rules on authorizing data controllers to process personal data have been clarified, in particular with regard to the obligation to receive explicit consent from all concerned data subjects.
The right for individuals to be informed when their data has been illegally accessed
Companies and public organisations will be obliged to swiftly report known data breaches or leakages to the relevant national data protection authority as well as to affected data subjects. This will enable data subjects to take appropriate security precautions.
Better protection of young people
If a person below the age of 16 wishes to use an online service, the service provider will need to assure that parental consent was given. Member states can lower the age required for parental consent, but not below 13 years old.