GDPR: the European law that protects your data, your image and your dignity in the age of cyberbullying

Since its entry into force on May 25, 2018, the General Data Protection Regulation (GDPR) has established itself as one of the most powerful legal pillars of the European Union. Often wrongly reduced to a simple matter of cookies or consent forms, the GDPR is in reality a fundamental law protecting individuals. It directly concerns victims of cyberbullying, doxxing, revenge porn, violations of image rights, and attempts to erase their digital past.

In a world where a photo, a video or personal data can ruin a life in a few clicks, the GDPR is not an abstract text: it is a legal weapon.

1. The GDPR: a foundational text for the protection of individuals

The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council , adopted on 27 April 2016 and applicable since 25 May 2018 throughout the European Union.

Unlike a directive, a regulation is directly applicable : it is binding without national transposition on all Member States.

Objectives of the GDPR (Article 1)

Article 1 of the GDPR clearly sets out its ambition:

The GDPR therefore pursues two major objectives :

• to protect natural persons,

• strictly regulate the use of their data.

This is not a law for businesses. It is first and foremost a law for individuals .

2. What is personal data? A very broad definition

Article 4, point 1 of the GDPR defines personal data as:

This includes, in particular:

• first and last name,

• pseudonym,

• e-mail address,

• phone number,

• IP address,

• photographs and videos,

• voice,

• location data,

• online credentials,

• professional data,

• judicial or administrative information.

👉 A photo published without consent is personal data. 👉 An intimate video distributed for revenge (revenge porn) is personal data. 👉 A message, a username, a forum archive, or a comment associated with an identifiable person is personal data.

3. The GDPR in the face of cyberbullying and doxxing

Cyberbullying very often relies on the exploitation of personal data:

• publication of private information,

• compilation of public data for malicious purposes

• mass dissemination of identifying elements,

• malicious archiving and republication.

  
  

Fundamental principle: the lawfulness of processing (Article 6)

All data processing must be based on a legal basis (Article 6).

Possible legal bases include:

• explicit consent,

• the execution of a contract,

• a legal obligation

• legitimate interest (strictly regulated).

• 
  

👉 Harassment, doxxing or malicious dissemination have NO valid legal basis.

The argument frequently invoked — "this is public data" — is legally false.

The GDPR protects data even when it is publicly accessible , provided that its reuse infringes on the rights and freedoms of the individual (recital 26 and article 6).

4. Revenge porn: a serious violation of the GDPR

Revenge porn involves distributing intimate images or videos without the consent of the person concerned.

Sensitive data and violation of dignity

Intimate content falls under:

• privacy,

• image rights,

• of the protection of personal data,

• sometimes sensitive data as defined in Article 9.

Article 9 of the GDPR prohibits, in principle, the processing of certain categories of data when they reveal:

• sexual life,

• sexual orientation,

• state of health,

• or any intimate aspect of the person.

👉 The distribution of sexual images without consent is a clear violation of the GDPR , regardless of existing criminal offences.

5. The right to one's image in light of the GDPR

The right to one's image, well known in French law, finds a strengthened European dimension in the GDPR.

The image = personal data

An image that allows a person to be identified is personal data (Article 4).

The processing (publication, distribution, archiving) must comply with:

• the purpose,

• proportionality,

• consent.

Explicit consent (article 7)

Consent must be:

• free,

• specific,

• illuminated,

• unequivocal.

👉 Old, implied or forced consent is not valid .

And most importantly:

6. The right to be forgotten: a central pillar for victims

The right to be forgotten is formalized by Article 17 of the GDPR: the right to erasure .

Article 17 – Right to erasure

The person concerned has the right to obtain the erasure of their data when:

• The data is no longer needed.

• consent is withdrawn.

• the processing is unlawful.

• the data was mishandled,

• the data infringes on his fundamental rights.

👉 Victims of harassment and revenge porn are fully entitled to invoke Article 17.

Deletion at third parties

Article 17, §2 requires the data controller to:

In other words: a website cannot hide behind a search engine, a hosting provider, or an archive.

7. Who must comply with the GDPR? A very broad scope

Territorial scope (Article 3)

The GDPR applies:

• to any entity established in the EU,

• but also to any non-EU entity that targets people located in the EU.

👉 An American, Russian or Asian website may be subject to the GDPR if it processes data of European residents.

Who is affected?

The following must comply with the GDPR:

• companies,

• associations,

• platforms,

• forums,

• social networks,

• media,

• website administrators,

• bloggers,

• archive operators,

• hosting providers (under certain conditions).

• 
  

Ignorance is not an excuse.

8. The fundamental rights of victims (Chapter III of the GDPR)

The GDPR establishes a powerful set of rights.

Right to information (articles 12 to 14)

The victim has the right to know:

• who processes its data,

• Why,

• For how long?

  
  

Right of access (Article 15)

She can obtain:

• a copy of the data,

• the origin of the data,

• the recipients.

Right of rectification (Article 16)

Inaccurate or misleading data must be corrected.

Right to erasure (Article 17)

Key to removing abusive content.

Right to object (Article 21)

The victim can object to any treatment based on an alleged "legitimate interest".

9. Responsibility of platforms and hosting providers

The GDPR imposes an obligation of responsibility (Article 5, §2).

This means:

• obligation to react,

• obligation to document,

• obligation to cooperate.

Inaction can lead to:

• administrative sanctions,

• fines of up to 20 million euros or 4% of global turnover (Article 83).

  
  

10. GDPR and freedom of expression: a false dichotomy

Harassers often invoke freedom of expression.

However, the GDPR explicitly provides for a balance (Article 85), but:

• Freedom of expression does not cover abuse.

• nor revenge,

• nor the intentional infringement of privacy.

👉 Harassment is never an opinion.

11. The GDPR as a defense tool for victims

For a victim, the GDPR allows:

• to demand the swift removal of content,

• to identify those responsible,

• to legally constrain the platforms,

• to restore his digital dignity.

Combined with national law (LCEN, Penal Code, Civil Code), the GDPR is today one of the most effective levers against online abuse .

The GDPR, a law primarily for the protection of human beings

The GDPR is not a bureaucratic constraint. It is a modern legal response to digital violence .

In a world where forgetting no longer exists by default, the GDPR gives back to individuals:

• control,

• speech,

• and the right to rebuild.

For victims of cyberbullying, revenge porn or image damage, the GDPR is not an option: it is a fundamental right .