The European regulations in force do not allow consumers to ask for proof of the proper exercise of their rights. The body therefore has nothing to do other than certify that everything has been carried out according to the rules ... It may seem strange at first glance, but it is indeed easy to generate false computer reports “proving” the deletion of data, or that your email is excluded from the list of newsletters, etc. However, we cannot ask to consult the computer systems of the targeted organization. So for now, the regulations oblige us to trust blindly, when article 19 of the European regulations enjoins the bodies to notify us of the correct application of our rights to rectification, to be forgotten or to limitation only. ...

​

Here are some examples of checks to be carried out after an organization has responded positively to you. When you do not validate one of these verifications, and that, despite your mediation procedures, you do not succeed in having your request succeed, you have the right to seize the competent authority, in France the CNIL, and to file a complaint .  

​

Be aware, however, that there are exceptions to the exercise of all or part of your rights:

• freedom of expression and information

• public interest missions (health, historical studies, statistics or research)

• exercise of public authority

• establishment, exercise or defense of legal claims

​

Also, for each of your steps, we advise you to:

• explicitly ask what will be undertaken by the organization to respond to your request  

• obtain from him, in writing, detailed explanations justifying his possible refusal to apply all or part of your right

• keep all traces of your approach and the answers obtained

Logically, you should no longer exist in the computer systems of the organization. For example: you can no longer access your account because it had to be deleted.

You are entitled to expect complete information concerning:

• the list of your personal data held by the organization

• the shelf life of these

• the origin of these: declaration on your part or recovery via a third party (which one)?

• the list of treatments carried out using your data

• the legitimate basis for these treatments

• the list of subcontractors accessing your data

• the legitimate basis for sharing this data with these subcontractors

• where your data is hosted

• the reasons why your data leaves the European area (when this is the case)

• whether the provision of your personal data is mandatory or not to benefit from the services of the organization

• the consequences if you delete your personal data

Logically, the data that you have frozen or for which you have exercised your right to object should no longer be used. For example: you should no longer receive emails from this organization.

Your data is expected to be up to date. For example, you receive your package at your new postal address, your spouse's name is used correctly, or you now receive your electronic invoices at your new email address.

If by typing your first and last name in a search engine, you obtain results that allow you to be identified directly or by cross-checking information, it is because your rights have not been respected. A tool is offered by the CNIL to monitor the correct application of your law on a website.

Your data should no longer be used to profile you. For example: you should no longer see targeted advertising, or personalized content on a website. As soon as you are no longer profiled, you become Mr. or Mrs. Everyone, without any distinguishing feature placing you in a category automatically.

The organization must provide your data to you in a machine-readable computer format for transmission to another organization. All of your data must appear in this file (s) (see the data obtained thanks to the right of access ).

The CNIL stipulates that an organization must respond within 30 days maximum, unless the application of the law requires more time due to its complexity of implementation.

How could we assess the complexity of our requests a priori and ensure the validity of the organization's response? How can we admit that it is difficult to take into account and apply our rights, particularly within structured organizations, equipped with efficient IT systems and dedicated teams?  

As much we can understand the difficulty for a small craftsman to be on all fronts at the same time and to have to manage our request and to ensure its good application because this can clearly exceed its initial competences, as much in the case of a bank, of a large brand, a healthcare establishment or web service platforms, the complexity of processing a regulatory request completely escapes us ...  

Thirty days is already a very long time, so beyond ... Is the only possible explanation that the organizations concerned are not in compliance with the regulations? Or not at all prepared to take our rights into account (no dedicated team, no clearly defined process, etc.)? Especially since the regulations have been in force since May 2018 and companies have logically had to comply before the fateful date. We are therefore entitled to expect that three years later, companies will be organized and processes perfectly running.

In general, we advise you to obtain precise information from your correspondent regarding the timeframe for implementing your request. Ask for clear explanations to understand why it would take more than thirty days. If this seems unjustified to you, or the legal response time has elapsed, you have the right to lodge a complaint with the CNIL .