GDPR Rights for EU/EEA Users

What it is

If you live in the EU or EEA, you have legal rights to see, correct, delete, or move your personal data, and to object to certain types of processing.

Why it matters (compliance & governance perspective)

These rights are legally enforceable under GDPR and give EU users meaningful control over their personal data held by Medium, including the ability to request full deletion of their account data.

Consumer impact (what this means for users)

EU and EEA users can formally request access to, correction of, or deletion of their personal data held by Medium, and can object to data processing used for advertising or profiling purposes.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision reflects GDPR Articles 15 through 22, covering rights of access, rectification, erasure, restriction, portability, and objection. Medium's acknowledgment of these rights confirms it operates as a data controller under GDPR. Enforcement is handled by national data protection authorities (DPAs) in each EU member state, coordinated under the one-stop-shop mechanism where applicable. GOVERNANCE EXPOSURE: Medium. The policy asserts GDPR rights without specifying the response timeframe, the format in which data will be provided, or the process for appealing a denied request. GDPR requires responses to data subject requests within one month, with a possible two-month extension for complex requests. Failure to meet these timelines or to provide adequate responses creates enforcement exposure. JURISDICTION FLAGS: Applies specifically to EU/EEA users and UK users under UK GDPR. Non-EU users do not benefit from these statutory rights under this policy, though California residents have analogous rights under CCPA. The geographic scope of GDPR rights may extend beyond EU residents to any user physically located in the EU when accessing the service. CONTRACT AND VENDOR IMPLICATIONS: Organizations whose employees use Medium while located in the EU should consider whether employee data processed by Medium triggers their own GDPR controller obligations. Vendor contracts with Medium should include provisions addressing data subject request handling timelines and processes. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that Medium's data subject request process is functional, documented, and able to meet GDPR's one-month response requirement. Internal procedures should be established for escalating data subject requests received indirectly through enterprise customers. The right to object to processing for direct marketing purposes should be clearly accessible in account settings.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Third-Party Data Sharing with Analytics and Advertising Partners medium
• International Data Transfer to the United States medium
• CCPA Rights for California Residents medium
• Payment Data Collection and Processing low
• Data Retention Without Fixed Periods medium
• Data Collection from Third-Party Linked Accounts low

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.