General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into force across the EU on 25 May 2018 - replacing the Data Protection Act 1998.

Please refer to our GDPR guide for the main changes that give you more control over your data, and how they are likely to affect you.

Collecting your personal data

When you buy goods and services, or sometimes even just visit a website, the organisations you deal with may collect information and data about you. 

This might include your name, address, and date of birth. This type of data, which is capable of identifying a living individual, is called 'personal data'.

Organisations may even include things like the school you went to, the job you do, details about your partner or family or the sorts of things you view or buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

What personal data can you access?

You have a right to know what personal data companies hold about you. Asking for this personal data is known as making a 'subject access request'. 

Under the Data Protection Act 1998 ('Data Protection Act'), companies must let you know what information is held about you, whether it is on computers or on paper. Companies are allowed to withhold certain information from you, for example:

  • If the information could identify someone else who does not want to be identified, and it would not be reasonable to disclose that information to you.
  • If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.

If you wish to make a subject-access request, you must do so in writing, but there is no particular format - you can simply write to or email the organisation and ask it to provide all of the information about you it is required to disclose under the Data Protection Act. Organisations are allowed to charge you a fee of up to £10 for responding to your subject-access request, and they must reply within 40 days.

Changing inaccurate information

If you discover that an organisation holds inaccurate information about you, for example, it says that you are married when you are now divorced, you can ask it to correct, block or remove the information.

You will need to write to the organisation and tell them of the inaccuracy, including proof where possible. 

If you do not get a reply or the information is still wrong, you may wish to contact the Information Commissioner's Office (  and ask them to consider whether the organisation has breached the Data Protection Act. The Information Commissioner's Office (also known as the ICO) is the UK's independent authority set up to uphold information rights in the public interest. It has a useful tool on its website which guides you through your complaint options.

Stopping your information being used

The Data Protection Act gives you the right to ask an organisation not to hold or use information about you that causes you substantial unwarranted damage or distress. 

If you do this, the organisation has 21 days to respond to your request, and can refuse only if the information that it holds about you is:

• necessary to agree or carrying out a contract which you have entered into
• necessary to carry out any legal obligation that applies to the organisation
• necessary to protect your vital interests

If you think that an organisation has breached the Data Protection Act then under Section 42 of the Data Protection Act you can make a complaint to the ICO.

Stopping unwanted direct marketing

You have a right to ask companies to stop unwanted direct marketing – whether it is by phone, post or email.

Most companies keeping personal information about you will give you the chance to opt out of direct marketing. 

If you ask it not to use or pass on your information for direct marketing purposes it must not do so.

There are generally two things you can do if you are a private individual receiving unsolicited marketing information through the post (junk mail):

  • You can register your details with the Mail Preference Service (MPS). Although it is not a legal obligation for Data Controllers to check the MPS before sending junk mail, most reputable organisations will do so.
  • You can exercise your right to ‘prevent processing of your personal data for Direct marketing Purposes’ (section 11 of the Data Protection Act). You can use our template letter to issue a Section 11 Notice.

If you continue to receive junk mail from a company after asking to be removed from its mailing list you should contact the ICO

The ICO is the UK's independent authority set up to uphold information rights in the public interest. It has a useful tool on its website which guides you through your complaint options. 

Companies' responsibilities

Under the Data Protection Act, anyone who processes personal information must make sure that the information is (amongst other things):

  • adequate, relevant and not excessive
  • processed fairly and lawfully
  • obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
  • accurate and up to date
  • processed in accordance with the rights of data subjects under the Data Protection Act
  • kept for no longer than is necessary
  • secure (ie measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data)
  • not transferred to other countries unless that country has adequate protection for personal data.

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.