A suspicious email. A leaked password. A targeted advertisement that knows too much. Across the European Union, personal data misuse is no longer rare. The General Data Protection Regulation (GDPR) gives residents concrete rights — but enforcing them requires clear steps. Here is what to do if you believe your data has been misused.
The notification arrives late at night: “We regret to inform you of a data breach.” Or perhaps you discover your personal information circulating online. In that moment, confusion often replaces clarity. But under EU law, you are not powerless.
Step 1: Confirm the nature of the misuse
Not every unwanted email is a GDPR violation. Start by identifying whether:
- Your data was part of a confirmed breach
- A company processed your data without consent
- Your data was shared without legal basis
- You were denied access to your own information
The European Commission’s official GDPR portal explains what qualifies as personal data and what lawful processing means under EU law: European Commission – Data Protection.
Step 2: Exercise your rights directly with the organisation
Before escalating, contact the organisation involved and invoke your rights under Articles 15–22 GDPR. These include:
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restrict processing
- Right to data portability
The full legal framework is available via Regulation (EU) 2016/679 (GDPR).
Request responses in writing. Companies generally must respond within one month.
Step 3: File a complaint with your national Data Protection Authority
If the response is unsatisfactory, you have the right to lodge a complaint with your national supervisory authority. The European Data Protection Board (EDPB) provides links to all national authorities: EDPB Members – National Data Protection Authorities.
Complaints are free of charge.
How many people are affected yearly?
- In 2023 alone, EU data protection authorities received over 130,000 complaints according to the European Data Protection Board’s annual report.
- Since GDPR entered into force in 2018, authorities have imposed billions of euros in fines across Member States.
Step 4: Seek judicial remedy if necessary
Under Article 79 GDPR, individuals have the right to an effective judicial remedy. This may involve civil courts in your Member State.
In previous reporting, The European Times has examined how EU digital regulation is reshaping citizens’ rights in the platform economy.
Data protection is not abstract policy. It concerns identity, employment, creditworthiness, and personal safety. The GDPR was designed to give residents enforceable rights across borders. The system works — but only when individuals use it.
