https://gdprhub.eu/api.php?action=feedcontributions&user=151.135.151.28&feedformat=atomGDPRhub - User contributions [en]2024-03-28T12:23:33ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=Article_1_GDPR&diff=28256Article 1 GDPR2022-09-26T17:08:42Z<p>151.135.151.28: /* Interpretation in light of fundamental rights */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Overview of GDPR|←]] Article 1: Subject-matter and objectives [[Article 2 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br />
<br /><center>'''Article 1: Subject-matter and objectives'''</center><br />
<br />
<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span><br />
<br />
<span id="2">2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.</span><br />
<br />
<span id="3">3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/1 GDPR}}{{Recital/2 GDPR}}{{Recital/3 GDPR}}{{Recital/4 GDPR}}{{Recital/5 GDPR}}{{Recital/6 GDPR}}{{Recital/7 GDPR}}{{Recital/8 GDPR}}{{Recital/9 GDPR}}{{Recital/10 GDPR}}{{Recital/11 GDPR}}{{Recital/12 GDPR}}<br />
<br />
==Commentary==<br />
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref><br />
<br />
===(1) Subject-Matter===<br />
Article 1(1) establishes the GDPR's two main aims of the GDPR. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR. <br />
<br />
==== Data protection and the free flow of data ====<br />
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would for example prohibit that personal data flows to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote><u>Example:</u> If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. This could limit commercial options for a German company in France.</blockquote>Consequently the GDPR is tasked with providing a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref> <br />
<br />
==== Limit to natural persons ====<br />
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref><br />
<br />
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the "Peter Smith Limited" company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about "Peter Smith Limited" can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is professionally used by Peter Smith can be linked to Peter Smith and therefore relates to a natural person.</blockquote>You can find more details about the scope of the term "personal data" under [[Article 4 GDPR|Article 4(1) GDPR]].<br />
<br />
==== Human rights approach ====<br />
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.<blockquote><u>Example:</u> A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.</blockquote>While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].<br />
<br />
===(2) Protection of Fundamental Rights and Freedoms ===<br />
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as “''in particular''” the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. One the one hand, the protection of personal data - which may not come as a surprise. At the same time, the legislator took the view that the protection of personal data also (indirectly) protects other “''fundamental rights and freedoms''”.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref> <br />
<br />
==== Protection of the fundamental right to data protection ====<br />
Article 8(1) CFR provides for “''the right to the protection of personal data''” of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. <br />
<br />
==== Protection of other fundamental rights and freedoms ====<br />
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. It concerns the right to respect for “''private and family life''” and “''communications''” and is distinct and often broader than the right to data protection in Article 8 CFR.<br />
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are a backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''The processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote><u>Example:</u> A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person has to fear that her political believes get known to her employer, spouse or friends, she may not actually vote for her real convictions.</blockquote>The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.<br />
==== Conflicts with other fundamental rights ====<br />
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests. <br />
<br />
Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to "balance" the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests. <br />
<br />
The GDPR foresees flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on the freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref><br />
<br />
Some commentators have highlighted that Recital 4 also refers to the freedom to conduct a business under Article 16 CFR - indicating that this would allow to limit the GDPR at times. However, Article 16 CFR is generally understood to only protect the right to start a business and to manage own resources. It is closely related to the right to choose an occupation and the right to engage in work in Article 15 CFR.<ref>''Bezemek'', in Holoubek/Lienbacher, GRC-Kommentar, Article 16, marginal numbers 6 and 7 (MANZ 2014).</ref> Article 16 CFR also clarifies that any business must be conducted "''in accordance with Union law and national laws''". The GDPR is one of these laws and can consequently not be overridden via Article 16 CFR. <br />
<br />
==== Interpretation in light of fundamental rights ====<br />
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights, as repeatedly held by the CJEU.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR would could not be sustained. This also allows to apply the proportional test under Article 52(1) CFR to many GDPR cases.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref><br />
<br />
In its case law, the CJEU has also repeatedly stressed ,<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous Directive 95/46/EC) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This clause was regularly used to come to a more protective interpretation of the GDPR by the CJEU. The clause "''high level of protection''" is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> to uphold the "''high level of protection''" foreseen by the GDPR. <br />
<br />
Existing CJEU case law holds useful examples of the current state of play. The court has for example held that terrorist prevention does not allow to keep meta data of phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref> Equally, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If Article 8 CFR prohibits governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could collect communication data for purposes that are even less serious claiming a legitimate interest. Such a legitimate interest would have to override the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote><br />
===(3) Free Movement of Personal Data===<br />
Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. <br />
<br />
The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore. <br />
<br />
Non-EU/EEA countries do not benefit form the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.<ref>See for example CJEU in C-364/14 ''Schrems I'' and [[CJEU - C-311/18 - Schrems II|C-311/18 ''Schrems II'']].</ref> The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ("third countries") can be found in Chapter V of the GDPR. <blockquote><u>Example:</u> When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. When a Spanish controller is however using a Swiss provider, there needs to be an additional legal basis for these data flows. </blockquote>There is a live discussion if the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory, that are under the effective control of an EEA controller or processor would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question if the controlling entity falls under the territorial scope in [[Article 3 GDPR]]), not a data-based approach (focusing on the question if the data is physically staying in the EEA).<ref>See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.</ref> The wording of the GDPR does not seem to support an entity-based approach.<ref>Article 1(3) GDPR focuses on the "''movement of personal data within the Union''", Article 44 GDPR equally regulated the "''transfer of personal data''", not the transfer to an entity that is not governed by the GDPR.</ref> <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 1 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>151.135.151.28