📖 Privacy explained
GDPR, personal data, data breaches, cookies, the regulators — every concept in plain language.
What is the GDPR?The GDPR is the EU privacy law in force since 25 May 2018. One law, directly applicable in every EU/EEA country, governing what anyone may do with your personal data.What is personal data?Personal data is any information that can identify a living person — directly (name, ID number, face) or indirectly (combinations that single you out).What is a data breach?A data breach is any unauthorised access, loss or disclosure of personal data. Organisations must report serious breaches to the regulator within 72 hours — and warn you directly when the risk to you is high.Cookies & consentStrictly necessary cookies need no consent. Analytics and tracking cookies do — freely given, no pre-ticked boxes, and “Reject” must be as easy as “Accept”.Who enforces it?Every country has an independent data protection authority (DPA) with real teeth: investigations, orders, and fines up to 4% of global turnover. Complaints from ordinary people start most cases.Your car’s dataModern cars log location, driving style, calls and more, and manufacturers monetise it. Since September 2025 the EU Data Act gives you a hard right to that data — and a say in who else gets it.Dark patternsInterfaces built to trick you — hidden cancel buttons, guilt-trip prompts, fake urgency — are increasingly banned outright under EU law. Naming the pattern is half the complaint.Your data in the USEU-US data flows run on the Data Privacy Framework — the third attempt after courts killed two predecessors. It works for you day-to-day, gives you a redress route, and lives under permanent legal siege.All rights, one pageEight rights plus the complaint and the damages claim — what each does, when to use it, one line each. Bookmark this; branch out when you need depth.The 6 lawful basesNo basis, no processing — full stop. Knowing the six lets you ask the one question companies hate: “on which Article 6 basis, exactly?”Controller vs processorThe controller decides why and how; the processor just executes. Your rights run against the controller — and “we’re only the processor” is a dodge with a built-in counter.Special category dataHealth, beliefs, orientation, biometrics — processing is prohibited by default, exceptions are narrow, and “we infer it” counts the same as “you told us”.The AI ActThe world’s first broad AI law bans the creepiest uses outright, chains high-risk systems to human oversight, and phases in through 2027 — here is the citizen’s-eye view.What is profiling?Profiling is automated evaluation — predicting your behaviour, creditworthiness, health or reliability from data. It carries its own transparency duties and its own objection right.Pseudonymous ≠ anonymous“We only store anonymised data” is the most common false claim in privacy policies. If anyone, anywhere, can re-link it to you, the GDPR still applies in full.Privacy by designArt. 25 makes privacy-hostile defaults illegal: the most protective setting must be the starting point, not the buried option. A blunt weapon hiding in plain sight.What is a DPIA?A Data Protection Impact Assessment is the mandatory risk study before high-risk processing — workplace monitoring, large-scale tracking, biometrics. “Show me the DPIA” is a question that stops meetings.Purpose limitationData collected for delivery may not quietly become marketing fuel; the emergency-contact list may not become a sales file. The purpose named at collection is a fence, not a suggestion.How long may they keep it?Every piece of data needs an expiry logic. “Indefinitely, just in case” is not one — and asking for the retention period per data category is a request they must answer.FingerprintingYour screen size, fonts, GPU and settings combine into a near-unique signature — trackable with zero cookies and no banner. It is regulated anyway; the industry pretends otherwise.Adequacy & SCCsTwo mechanisms carry nearly all legal data exports: countries the Commission has certified as “adequate”, and standard contractual clauses for everywhere else. Knowing which one a company relies on tells you how solid your protection is.The DSAThe Digital Services Act forces platforms to act on illegal content, explain moderation, open their ads, and drop manipulative design — with real fines landing since 2025.The DMAThe Digital Markets Act handcuffs the gatekeepers — choice screens, sideloading, interoperable messaging, no self-preferencing, no cross-service data merging without consent. The consumer changes you’ve noticed all trace back here.ePrivacy explainedThree things live here, not in the GDPR: cookie consent, the marketing opt-in for email/SMS, and the confidentiality of your communications. The “cookie law” is older than the smartphone — and still undefeated.The EDPBThe European Data Protection Board is all the DPAs in one room — writing the guidelines companies must follow, refereeing cross-border cases, and occasionally forcing a national regulator to toughen up.Children’s consent agesFor online services, children below the “digital age of consent” need a parent’s yes — and that age is 13 in some countries, 16 in others. Around it: a thickening wall of child-specific rules.National ID numbersThe number that indexes your life — tax, health, banking — is exactly what identity fraud wants. The GDPR lets countries fence it off, and most did: “everyone asks for it” does not mean everyone may.What is a DPO?A Data Protection Officer is the mandatory in-house privacy referee at authorities and data-heavy companies — independent by law, and the fastest route for your requests.Legitimate interestThe legal basis companies reach for when they don’t want to ask you. It is real — but it demands a balancing test they must be able to show you, and your objection forces them to prove it.How ad tracking worksBetween the cookie banner and the eerily specific ad sits a whole industry: pixels, IDs, auctions and data brokers. Knowing the four layers tells you exactly where to cut.