Protect your personal data on the internet!

Online purchases, subscriptions to loyalty cards, responding to a sales offer or a survey… Whether in France or another country of the EuropeanUnion, you are led daily to share your personal data. However, are you sure that your data is always protected? Do you know who is responsible for the confidentiality of your data? How to protect them better? All the information on the GDPR and the protection of your personal data in Europe in our FAQ.

Questions and Answers

Personal data is any information on an identified or identifiable physical person.

Examples: a name, an address, an email, a photo, a voice recording, DNA, a password, an IP address, a cookie identifier, etc.

As your data is personal, they concern you and you should have control over them. Since the 25 May 2018 and regulation (UE) 2016/679, called the General Data Protection Regulation (GDPR), your personal data is protected in Europe. Therefore, for any collection, transfer, saving, and use of your data the trader needs your agreement.

Yes. You have the right to know if your data is being collected, transferred, stored, modified, etc.

You should also be informed about:

  • The identity of the person responsible for the collection of your data,
  • The reasons for the collection,
  • The recipients of your data,
  • How long your data is being kept,
  • Your right to file a claim with the proper authorities.

Tip: Traders are obligated to designate a person within their company or organisation who is in charge of the protection of personal data, called the “Data Protection Representative”. If you want to know what will be done with your data, directly contact this representative. Their email address is often available in the general sales conditions or the privacy policy or directly on the site.

Make sure that you pay for your order on a site using a secure connection. The address of the site should start with https:// and a closed lock symbol should appear.

To avoid the pirating of your banking information, you can opt to use a single use bankcard if your bank offers that service. A one-time code will be sent to you in order to pay. This code cannot be used a second time.

Beware! If your online seller asks you for a proof of identity or a copy of your credit card (when the name on the delivery address is not the name on the card for example), never send a copy of the front and back! Make sure you have masked a part of the card number to protect your banking information.

Yes, but only if you have expressly consented by checking a box, not just by simply accepting the general sales conditions or via a pre-checked box.

You always have the right to contact the professional to demand the removal of your banking information.

Beware! Be extremely vigilant if you have made purchases with a computer accessible by third parties (cybercafés, etc.). Always remember to sign out and erase your browsing history. If you have children, pay attention so that they do not accidentally make orders without you knowing!

To protect your private life, set limited access to your photos and your profile, and regularly check the privacypreferences of your account.

Avoid responding to geolocation questions if it is not necessary, and do not respond to messages sent from people you do not know.

Also, leave the bare minimum of contact information and avoid giving details of your private life to remain unknown to those with bad intentions.

If you are one of the 2 billion users of WhatsApp, you have received a message asking you to accept the application’s new conditions of use before 15 May 2021. If you do not accept the transfer of a certain amount of personal data to Facebook, who purchased the application in 2014, you will no longer be able to use WhatsApp. Is this legal?

In the European Union, you have to give your free and informed consent for your personal data to be collected, recorded, or communicated to others. This consists, for example, of telling you which information will be handled by the trader, for what purpose and inviting you to check a box to approve your consent on the handling of each data. For example, when you open a site they offer you options concerning the use of cookies.

However, the GDPR states that the collection, recording, and transfer of personal data can be justified by a “legitimate interest”, with user consent not being necessary. For example, information recorded to fight against fraud, to assure the security of people or computer systems and networks, for historic, scientific, or statistical purposes, etc.

WhatsApp uses a legitimate interest to impose its general use conditions, to know how to improve and for the security of its services. This would include better tracking of spammers/fraudsters between the different Facebook entities and using the technologies of Facebook and other services of the group to improve the application.

The legitimate interest invoked by WhatsApp raises questions under the GDPR. The authority of personal data protection in Italy, judging the application’s new privacy policy as unclear, has already decided to raise the question before the European Data Protection Board, composed of the national authorities in charge of data protection (like the CNIL in France) and the European Data Protection Supervisor. This has pushed WhatsApp to reconsider and delay the implementation of these general use conditions from 8 February 2021 until 15 May 2021. 

If you reside in France, you can lodge a complaint to the Commission Nationale Informatique et Libertés (CNIL) in the event of a violation of your rights. The CNIL is in charge of informing the lead authority (the national authority of data protection wherever the trader/social network is established). This other authority will decide whether to handle the claim itself or to leave it to the CNIL.

Examples: In Germany, the supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit. In Ireland, it is the Data Protection Commissioner. Consult the contact information of supervisory authorities in Europe.

Not automatically. Just because you have not connected to your account on a social network does not mean that your data have been deleted or that they can no longer be exploited. Find out what happens to an account you no longer use on a social network.

The authorities of personal data protection in the European Union recommend that various social networks delete accounts that stay inactive for a certain period, but these recommendations are not always respected.

Make sure to delete your account. The social network should erase the entirety of your data. If you do not receive a response to your demand to delete the account, contact the CNIL if the social network is established in France or the national authority in charge of data protection in the European country where it is based.

Not without your consent, because digital majority in France is set at 15 years of age. In Europe, the GDPR has left each country to set its own age of “digital majority” which must be between 13 and 16 years. This is to say that any professional, including social networks, must obtain the consent of the legal guardians to collect personal data from minors until they reach digital majority.

Good to know:

In France, a minor can, from the age of 15, consent alone to the processing of his personal data if this is part of an online service and based on consent. Under the age of 15, consent must be given by the minor concerned and the holder of parental authority.

In Germany for example, the age of digital majority is 16, 14 in Spain, and 13 in Belgium.

No. No participation in a competition can be conditional on your acceptance to receive commercial prospecting or to share your information with partners of the game organiser. You should be able to participate freely in a competition. Similarly, the organiser of the game cannot plan to give you additional chances in the competition upon the condition that you accept commercial prospecting.

Collected information can only be used for the purposes of the game and the delivery of a prize in the event of winning, unless you have consented to receive commercial prospecting. This consent must be clearly written (a specific box to check, not by the mere acceptance of the game’s rules).

You must have been given the “information technology and liberties” mentions on the participation form as well as the rules of the game in which there should be a “privacy” section.

Under the GRDP, the organiser of the game must provide one specific checkable box for each act of consent.

Example: A first checkable box if they wish to send you commercial prospecting and a second box to share your information with partners.

In many European countries, if you are paying less than 50€, you no longer have to insert your card into the terminal. With technology that allows distance exchanges, called Near Field Communication (NFC), your card is equipped with a chip allowing no-contact payment. With the help of this technology, your name, the list of transactions made by your card, your credit card number, and its expiration date are always susceptible to capture by any poor-intentioned person nearby with an independent or smartphone-integrated NFC reader.

You can deactivate no-contact payment on your credit card, but in general the chip remains active and your banking information can still be captured. To avoid such a risk, you should use a card that is not equipped with NFC or ask your bank to deactivate the NFC chip.

Loyalty cards allow traders to create customer loyalty and, thanks to collected personal data (age, address, email, average spending at the store, buying habits, etc.), to analyse customer profiles to adapt their loyalty program, the products they offer, their advertising, etc.

All this information can also be sold for the price of gold to partner companies for commercial prospecting.

Tip: When you make a loyalty card account with a business, do not hesitate to ask them what your data is used for, if they are shared with third parties, who to contact to modify them or erase them, etc.

Do not give any personal or banking information without having verified the origin of the email. Fake emails asking for personal information, call phishing, are growing on the internet.

Know that no bank or public organisation will ask for important information by email. Consult the site of your bank, insurance company or public service. There you will surely find information concerning cases of phishing or formats of their emails, listing the information that they would never ask of you via email, and informing you of their normal mode of contact. Some also offer a representative to whom you can send a copy of the fake email.

If you have doubt, contact the alleged company on its site or via representative or customer adviser to be sure of the email’s origin.

If a site is mentioned in a suspect email, solicit the opinion of an expert on the site phishing initiative.

More information in our article on phishing.


To follow your navigation on a website, login indicators, called “cookies”, are often frequently deposited by the server of the visited website. Cookies automatically install themselves on your hard drive, trace your navigation on the site, and recognise you when you return. Cookies are used in this way to analyse audiences and visits of sites in order to improve their quality.

One of the roles of cookies is also to target your interests and create a specific profile for you as a buyer. It is because of this that you can see advertisements directly related to a product searched earlier on another website.

Sites must collect your prior consent before depositing a cookie concerning you, expressing to you the reason for the cookie and the means that you have to object the cookie’s deposit. This message normally appears upon your first visit to a website. Your consent is valid for 13 months. Outside of this period, new consent must be asked of you.

You can however deactivate the use of cookies by modifying the settings of your browser. The risk however is that this impedes the use of certain services on many sites. You can block cookies from third party sites (advertisement inserts on a site) if you wish to limit the tracing of your navigation.

Tip: There are some software (for example “Cookieviz” in France), that allow you to identify, in real time, cookies that transmit information concerning you to other sites.

These types of recreational genetic tests offered on the internet directly to consumers are allowed in many European countries like Denmark, Cyprus, Finland, Germany, Italy, Luxembourg, or the Netherlands but are prohibited in Portugal and France, where they can only be carried out with a court order in certain proceedings (paternity research, medical reasons, or research). These tests are still prohibited in France even if you order the test from a company based in a European country where they are allowed.

By asking for the analysis of your DNA, you are transmitting sensitive information protected by the law (because it allows for the identification of a physical person) to a laboratory. You have rights over these data, such as the right to information, the right to access, and the right to have your genetic data forgotten.

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Innovation Council and Small and Medium-sized Enterprises Executive Agency (EISMEA). Neither the European Union nor the granting authority can be held responsible for them.