You open your inbox and see a message from a company you’ve never heard of — yet they somehow know your name, email, and even your home address. A few days later, a bank alert appears for an unfamiliar login attempt. At that moment many people wonder the same thing: how did they get my data, and what can I actually do about it?
Across Europe, the law gives individuals powerful rights over their personal information. The General Data Protection Regulation (GDPR) requires companies and organisations to protect personal data, explain how they use it, and respond to complaints. If your data is mishandled, leaked, or used without a valid legal basis, you have the right to demand answers — and potentially compensation.
This guide explains the practical steps to take if you believe your personal data has been misused in Europe.
Data snapshot
• Since GDPR entered into force in 2018, regulators across Europe have issued more than €4 billion in fines for data protection violations.
• Individuals have the legal right to access, correct, delete, or restrict the use of their personal data.
• Complaints can be filed with national data protection authorities such as the European Data Protection Board network.
Learn more about your rights at the European Commission’s data protection page.
Step 1: Confirm what actually happened
Not every suspicious email or targeted advert means your data has been illegally processed. Start by identifying the situation clearly. Common scenarios include:
- a company sharing your information with third parties without permission
- a security breach exposing customer data
- marketing messages sent without consent
- identity theft using leaked personal details
If a company experienced a breach affecting your information, it must notify you when the risk to your rights is significant under EU law.
Step 2: Request access to your data
Under GDPR, you have a “right of access”. This means you can ask a company what personal data it holds about you and how it is used.
Send a written request asking for:
- a copy of all personal data stored about you
- the purpose of the processing
- who your data has been shared with
- how long the company plans to keep it
Organisations generally have one month to respond. This request is often called a Subject Access Request.
Step 3: Ask for correction or deletion
If the information is incorrect or used unlawfully, you can invoke the “right to rectification” or the “right to erasure,” sometimes known as the “right to be forgotten”.
This allows individuals to demand that organisations correct inaccurate data or delete it entirely when there is no legal basis for keeping it.
The European Data Protection Board provides guidance explaining when these rights apply and how companies must respond.
Step 4: Document everything
Before escalating the issue, collect evidence. Save emails, screenshots, account notifications, and any communication with the company. Write down dates and details of what occurred.
Strong documentation helps regulators understand the situation and strengthens any potential compensation claim.
If the issue relates to a wider online scam or misuse of personal information, you may also find it helpful to read our earlier guide on how Europe is tackling online scams and digital fraud.
Step 5: File a complaint with a data protection authority
If the company ignores your request or refuses to cooperate, you can complain to your national data protection authority. Every EU country has one.
These regulators investigate violations and can order companies to change their practices or impose fines. The list of authorities is available through the European Data Protection Board.
You can usually submit complaints online and in your own language.
Step 6: Consider compensation if harm occurred
Under GDPR, individuals have the right to seek compensation if misuse of their personal data caused financial loss or emotional distress.
This might include situations where a data breach leads to identity theft, fraud attempts, or significant privacy harm. Claims can be pursued through national courts.
While compensation cases vary widely across countries, European courts increasingly recognise privacy as a fundamental right worth protecting.
The bottom line
When personal data is mishandled, it can feel like control has slipped away. But European law is designed to restore that control to individuals. By requesting access to your data, demanding corrections, and escalating complaints when necessary, you can force organisations to account for how they use your information.
The most important step is the first one: documenting the issue and asserting your rights. In the digital age, awareness is often the strongest form of protection.
