The privacy pillar · one law, 33 countries

PrivacyCheck.

The GDPR gives you real power — most people never use it. Plain-language answers on cameras, recordings, leaks, spam and AI, every claim sourced, plus the authority to call in all 33 countries we cover.

Updated 18 July 2026·99 topics live·33 authorities listed·sources on every page

📖Privacy explainedGDPR, personal data, data breaches, cookies, the regulators — every concept in plain language.⚖️Your rightsAccess, erasure, objection, portability — the GDPR rights and exactly how to use them.🤔Is this allowed?Doorbell cams, dashcams, recording calls, your boss reading email — quick verdicts with the reasoning.🚨What now?Data leaked, photo posted, spam flood, company ignoring you — step-by-step out of the mess.📞Who to contactYour national data protection authority — for every one of our 33 countries, with how to complain.🏢For small businessesFreelancer, webshop, club or corner shop — the GDPR basics you actually need, without the consultancy fog.

🤔 Is this allowed?

All →
Yes — if it watches your property, not the streetCamera doorbell at homeFilming your own doorstep is fine. The moment your camera structurally captures the public street or a neighbour’s garden, the GDPR applies to you — with real obligations.No — not at your private spaceNeighbour’s camera on my homeA camera aimed at your garden, windows or door is not covered by any household exemption. You can demand re-aiming, masking, access to footage — and escalate if refused.Often yes for yourself — country rules differ sharplyRecording a callIn many EU countries you may record a conversation you take part in for your own records. Publishing it is a different question everywhere — and some countries restrict even the recording.Usually yes — but rules differ per countryDashcamsDashcams are legal to own everywhere and legal to use in most EU countries — but a few restrict or effectively ban them, and continuous “surveillance-style” recording is the thing regulators punish.Ask first — especially for childrenPosting photos of othersA recognisable photo is personal data. Small private sharing is usually fine; public posting of identifiable people — above all children — needs consent far more often than people think.Only under strict conditionsEmployer monitoringNot just like that. Even at work you keep a reasonable expectation of privacy — monitoring needs a real reason, transparency, and the least intrusive means.Almost never lawfullyFace scanning in shopsBiometric identification of customers is special-category data — near-impossible to base on anything but explicit consent. The AI Act now bans several uses outright.Rarely a full copy — data minimisation rulesCopies of your IDShowing your ID is often required; keeping a full copy rarely is. Data minimisation lets you cross out what they don’t need — and a floating passport copy is identity-fraud gold.Contested — and you can objectAI training on your dataPlatforms lean on “legitimate interest” to feed public posts into AI training. That is legally contested — and Art. 21 gives you an objection right most platforms now honour via a form.Fly yes — film neighbours noCamera dronesEU drone rules let registered hobbyists fly in most places — but the camera turns every flight into data processing, and hovering over gardens collects data you have no right to.Child: within reason · Adult: only with consentTracking family membersLocation-tracking a young child can be justified parental care. Tracking a partner or any adult without their knowledge is unlawful across Europe — and in stalking territory fast.Entrances yes — desks and break rooms barely everCameras at workSecurity cameras on premises can be lawful with notice and a real purpose. Permanent surveillance of workstations, and any camera in changing rooms or toilets, is off-limits everywhere.It records more than you think — you control more than you thinkSmart speakersVoice assistants keep recordings and transcripts tied to your account — including misfires that captured private moments. You can hear, delete and disable most of it; your guests never agreed to any of it.Only with consent — and you can say noSchools & your child’s dataClass photos on the school website or socials need parental consent, per child, refusable and revocable — and saying no may not disadvantage your child. Internal pupil records run on different, stricter rails.At contract stage some — at viewing stage almost nothingLandlords & your documentsScreening dozens of applicants is where rental-market data abuse lives. Before you are the chosen tenant, a landlord needs your contact details and little else.Yes with your sign-up — with real limits and exitsLoyalty-card profilingThe deal is explicit: discounts for data. What many schemes underplay: your rights to see the profile, refuse the marketing, and quit with full deletion — and the hard line at sensitive purchases.Yes with a real decision — never at doors and mailboxesCameras in apartment buildingsCommon-area CCTV is lawful when the owners’ association properly decides it, targets a real problem, and avoids watching who visits whom. One resident’s hobby camera in the stairwell is not that.Hard walls: mostly no · Pay-or-okay: contestedCookie wallsA flat “accept tracking or leave” wall makes consent unfree and is rejected by most regulators. The paid-subscription alternative is the industry’s workaround — under heavy fire for the biggest platforms.Only where a law or YOUR consent opens the doorWho sees my bank dataBank secrecy still exists — with legal doors through it: anti-money-laundering law, tax reporting, and the open-banking access YOU grant apps. Marketing use of your spending is the part you control.Care team yes — everyone else needs your say-so or a lawYour medical recordsHealth data is the most protected category there is. Sharing inside your treatment is normal; sharing with employers, insurers or family needs your explicit consent or a specific legal gate — and you can see your file.Yes — Art. 15 covers camera footageGetting CCTV of yourselfFootage showing you is your personal data: you can request a copy — for an accident claim, a dispute, or just to know. Speed matters, because retention is short by design.Indoors: banned · Outdoors: disclosed onlyCameras in your rentalAirbnb banned ALL indoor cameras in listings in 2024; hotels never lawfully film inside rooms. Undisclosed devices are report-and-refund territory — and often a crime.Limited — job-relevant, transparent, no friend requestsBeing screened before hiringA quick look at your public LinkedIn: tolerated. Systematic trawling of your private life, fake-profile snooping, or silent rejection based on your holiday photos: violations with names.Private groups: rude · Business/mass groups: unlawfulAdded to groups unaskedYour number is personal data, and a group shares it with every member. Friends adding you is social friction; businesses and clubs mass-adding numbers is a GDPR problem — and you can lock it down.Targeted questions yes — your full file, almost neverInsurers & your health dataHealth questions on application and proportionate checks on claims are lawful. Blanket “send us your complete medical record” authorisations are the overreach to strike out.Weeks after rejection — longer only with your consentYour CV after rejectionOnce the process ends, the purpose ends: rejected applicants’ files must go within weeks, not years. “We keep you on file” requires your actual yes.Both directions: yes, within framesPolice & filmingPolice filming runs on specific legal gates, not the GDPR you know — and citizens filming officers on duty in public is broadly protected, with etiquette that keeps it that way.Licensed, proportionate, documented — or unlawfulPrivate investigatorsPIs exist legally in most of Europe — licensed, and bound by the same GDPR as everyone. Following you needs a legitimate interest that survives a balancing test; bugging, hacking and pretexting never do.Public interest wins — with real limitsJournalists & your nameJournalism gets a carved-out privilege: the GDPR bends to press freedom for genuine reporting. It does not cover everything with a masthead — suspects, victims and bystanders keep enforceable lines.Yes, under statute — with your access rights intactPublic-space CCTVMunicipal cameras need a legal basis, signage and sunset reviews — not your consent. What you keep: the right to see footage of yourself and a hard EU brake on turning cameras into face-scanners.Floor: conditional · Changing rooms & showers: neverGym camerasTraining floors can carry justified cameras. Changing rooms, showers, saunas and toilets are absolute no-camera zones in every country — no exception, no “anti-theft” excuse.Not as the only optionBiometric entry locksFingerprints and face-unlock at doors are Art. 9 biometric data. Convenience never justifies compulsion: wherever they’re offered, a card, code or key alternative must exist for you.Your consent died with the relationship — revoke and removeYour ex & old photosPhotos posted happily during a relationship don’t carry consent forever. You can revoke, demand removal, and escalate — with the fast lane reserved for anything intimate.Not without a basis you almost never gaveSelling your data“We may share data with partners” is where selling hides. Actual sale of identifiable data needs consent that names the buyers’ purposes — vague partner clauses don’t survive contact with a regulator.For security, briefly: yes · For tracking: consent rules applyIP loggingYour IP is personal data — but security logging is the textbook legitimate interest. The line runs at purpose and retention: defending the server yes, profiling the visitor no.Pixel: consent, always · Analytics: consent or hard-privacy configAnalytics & pixelsThe two most-installed trackers in Europe sit on different legal footings — and both fail the way most sites run them: firing before you’ve clicked anything.Fit/unfit yes — diagnoses and jabs, almost neverHealth questions at workYour employer runs the payroll of your sick days, not the file of your diagnoses. The occupational physician exists precisely to keep medical detail away from HR.A lot, by law — with algorithmic limits courts enforceTax authority & your dataTax authorities hold real statutory access: bank reporting, platform earnings, cross-border exchange. What they cannot do — and have been struck down for — is opaque algorithmic suspicion.

🚨 What now?

All →
My data was leakedMove in this order: contain the damage, verify what leaked, then use your rights — including compensation. Most harm from breaches happens in the first days, through scams that use the leaked data.Remove me from GoogleSince Google Spain (2014) you can have outdated or irrelevant results delisted from name-searches in Europe. Google has a form; most valid requests succeed without a lawyer.Intimate images sharedThis is a crime across Europe, platforms are legally obliged to act fast, and StopNCII can block images before they spread. You did nothing wrong — move quickly and don’t do it alone.Stop spam & marketingEmail marketing needs your prior consent in the EU. Objection to direct marketing is absolute. The right sequence turns the flood into a trickle — and repeat offenders into complaints.Request ignoredOne month is the law. After that: a dated final notice, then a free DPA complaint, then court if you want damages. Paper trail beats phone calls at every step.Identity theftAccounts, subscriptions or debts appearing in your name: act in this order — stop new damage, document everything, then unwind each fraudulent contract with the fraud file you built.Account hackedThe order matters: retake the account, evict the intruder from every session, close the door they came through, then repair the blast radius — email first, always, because email resets everything else.DoxxedDoxxing is punishable across Europe and platforms remove it under priority rules. Takedown first, then de-index, then dry up the source registers — and treat any threat as a police matter, immediately.A relative diedPlatforms have dedicated legacy flows, subscriptions can be ended with a death certificate, and “digital estate” access depends on national law — here is the sequence that spares you fights in the worst weeks.Photo posted without consentFor ordinary (non-intimate) photos: ask, report, then escalate with Art. 17 and portrait rights. Most cases end at step two — the sequence below keeps the stubborn ones moving.Debt collector, wrong dataDispute in writing, demand validation, freeze the data — and never pay “to make it stop”. Wrong-person collection is a data-quality failure the GDPR was built for.Online stalkingDocument, don’t engage, cut the access, report the pattern. Stalking is prosecuted as a pattern — your evidence file is what turns “annoying messages” into a case. On any concrete threat: emergency services, now.Clicked a phishing linkWhat you did in the seconds after the click decides everything. Clicked only: usually survivable. Typed credentials or codes: move now — the attacker is racing you.Your photo in an adCommercial use of your face without consent is the clearest image-rights violation there is — takedown plus payment is the normal outcome, not just takedown.

⚖️ Your rights

All →
Right of accessAny organisation processing your data must give you a full copy within one month, free of charge. One email is enough — no form, no reason needed.Right to erasureThe “right to be forgotten”: when the data is no longer needed, you withdraw consent, or you object to marketing, they must delete — and tell everyone they shared it with.Right to rectificationWrong address, wrong default, wrong debt flag — organisations must correct inaccurate data and complete incomplete data, within a month, free.Right to objectObject to direct marketing and they must stop. Full stop — no balancing test, no fee, no “but our legitimate interest”.Data portabilityData you provided under consent or contract must be handed over in a machine-readable format — or sent directly to a competitor.Automated decisionsDecisions with legal or similarly significant effects may not be made by machine alone — you can demand a human review, an explanation, and contest the outcome.Withdrawing consentAnything you consented to, you can un-consent — at any time, free, and it must be as easy as the yes was. If the yes was one click, a five-step cancellation maze is illegal.Claiming damagesFines go to the state; Art. 82 pays you. Material loss and real distress both count, there is no minimum threshold — and after big breaches, collective actions do the heavy lifting.Right to restrictionThe pause button: while accuracy or lawfulness is in dispute, the data may be stored but not used. Underrated, fast, and perfect for credit-register and debt-file fights.

📖 Privacy explained

All →
What is the GDPR?The GDPR is the EU privacy law in force since 25 May 2018. One law, directly applicable in every EU/EEA country, governing what anyone may do with your personal data.What is personal data?Personal data is any information that can identify a living person — directly (name, ID number, face) or indirectly (combinations that single you out).What is a data breach?A data breach is any unauthorised access, loss or disclosure of personal data. Organisations must report serious breaches to the regulator within 72 hours — and warn you directly when the risk to you is high.Cookies & consentStrictly necessary cookies need no consent. Analytics and tracking cookies do — freely given, no pre-ticked boxes, and “Reject” must be as easy as “Accept”.Who enforces it?Every country has an independent data protection authority (DPA) with real teeth: investigations, orders, and fines up to 4% of global turnover. Complaints from ordinary people start most cases.Your car’s dataModern cars log location, driving style, calls and more, and manufacturers monetise it. Since September 2025 the EU Data Act gives you a hard right to that data — and a say in who else gets it.Dark patternsInterfaces built to trick you — hidden cancel buttons, guilt-trip prompts, fake urgency — are increasingly banned outright under EU law. Naming the pattern is half the complaint.Your data in the USEU-US data flows run on the Data Privacy Framework — the third attempt after courts killed two predecessors. It works for you day-to-day, gives you a redress route, and lives under permanent legal siege.All rights, one pageEight rights plus the complaint and the damages claim — what each does, when to use it, one line each. Bookmark this; branch out when you need depth.The 6 lawful basesNo basis, no processing — full stop. Knowing the six lets you ask the one question companies hate: “on which Article 6 basis, exactly?”Controller vs processorThe controller decides why and how; the processor just executes. Your rights run against the controller — and “we’re only the processor” is a dodge with a built-in counter.Special category dataHealth, beliefs, orientation, biometrics — processing is prohibited by default, exceptions are narrow, and “we infer it” counts the same as “you told us”.The AI ActThe world’s first broad AI law bans the creepiest uses outright, chains high-risk systems to human oversight, and phases in through 2027 — here is the citizen’s-eye view.What is profiling?Profiling is automated evaluation — predicting your behaviour, creditworthiness, health or reliability from data. It carries its own transparency duties and its own objection right.Pseudonymous ≠ anonymous“We only store anonymised data” is the most common false claim in privacy policies. If anyone, anywhere, can re-link it to you, the GDPR still applies in full.Privacy by designArt. 25 makes privacy-hostile defaults illegal: the most protective setting must be the starting point, not the buried option. A blunt weapon hiding in plain sight.What is a DPIA?A Data Protection Impact Assessment is the mandatory risk study before high-risk processing — workplace monitoring, large-scale tracking, biometrics. “Show me the DPIA” is a question that stops meetings.Purpose limitationData collected for delivery may not quietly become marketing fuel; the emergency-contact list may not become a sales file. The purpose named at collection is a fence, not a suggestion.How long may they keep it?Every piece of data needs an expiry logic. “Indefinitely, just in case” is not one — and asking for the retention period per data category is a request they must answer.FingerprintingYour screen size, fonts, GPU and settings combine into a near-unique signature — trackable with zero cookies and no banner. It is regulated anyway; the industry pretends otherwise.Adequacy & SCCsTwo mechanisms carry nearly all legal data exports: countries the Commission has certified as “adequate”, and standard contractual clauses for everywhere else. Knowing which one a company relies on tells you how solid your protection is.The DSAThe Digital Services Act forces platforms to act on illegal content, explain moderation, open their ads, and drop manipulative design — with real fines landing since 2025.The DMAThe Digital Markets Act handcuffs the gatekeepers — choice screens, sideloading, interoperable messaging, no self-preferencing, no cross-service data merging without consent. The consumer changes you’ve noticed all trace back here.ePrivacy explainedThree things live here, not in the GDPR: cookie consent, the marketing opt-in for email/SMS, and the confidentiality of your communications. The “cookie law” is older than the smartphone — and still undefeated.The EDPBThe European Data Protection Board is all the DPAs in one room — writing the guidelines companies must follow, refereeing cross-border cases, and occasionally forcing a national regulator to toughen up.Children’s consent agesFor online services, children below the “digital age of consent” need a parent’s yes — and that age is 13 in some countries, 16 in others. Around it: a thickening wall of child-specific rules.National ID numbersThe number that indexes your life — tax, health, banking — is exactly what identity fraud wants. The GDPR lets countries fence it off, and most did: “everyone asks for it” does not mean everyone may.What is a DPO?A Data Protection Officer is the mandatory in-house privacy referee at authorities and data-heavy companies — independent by law, and the fastest route for your requests.Legitimate interestThe legal basis companies reach for when they don’t want to ask you. It is real — but it demands a balancing test they must be able to show you, and your objection forces them to prove it.How ad tracking worksBetween the cookie banner and the eerily specific ad sits a whole industry: pixels, IDs, auctions and data brokers. Knowing the four layers tells you exactly where to cut.

🏢 For small businesses

All →

📞 Who to contact

All 33 →

Every country has a free data protection authority that must take your complaint. Find yours — and see who actually holds your data first.

✍️ Generate a GDPR letter — free🛡️ Run a scam check📰 What’s changing in privacy law