Article 1 GDPR: Difference between revisions

Revision as of 15:14, 2 November 2021

← Article 1: Subject-matter and objectives →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 1: Subject-matter and objectives

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Relevant Recitals

Recital 1: The Right to Data Protection as a Fundamental Right

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

Recital 2: Respect of Fundamental Rights and Freedoms

The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Recital 3: Directive 95/46/EC Harmonisation Goal

Directive 95/46/EC of the European Parliament and of the Council seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.

Recital 4: Balance Against Other Fundamental Rights

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Recital 5: Cross-Border Cooperation for the Exchange of Personal Data

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.

Recital 6: Technological Transformation to Ensure a High Level of Protection

Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

Recital 7: Control Over Own Personal Data

Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

Recital 8: National Implementation

Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

Recital 9: Fragmentation under Directive 95/46/EC

The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

Recital 10: Equivalent Level of Protection and Homogeneous Application

In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

Recital 11: Strengthening of Rights and Enforcement

Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Recital 12: Article 16(2) TFEU Mandate

Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.

Commentary

Article 1 GDPR sets out the general framework regarding the processing of personal data in Europe. First, paragraph 1 defines the two main objectives of the Regulation: personal data protection and free movement of data. Then, paragraph 2 enshrines the protection of the individual's fundamental rights and freedoms, especially when they are connected to their personal data. Finally, paragraph 3 clarifies that the free movement of personal data may not be prohibited or restricted for reasons relating to the protection of personal data.

(1) Subject-Matter

Article 1(1) establishes the GDPR's two main aims. From one side, it aims at protecting natural persons with regard to the processing of their personal data. On the other side, it recognizes the EU internal market interest in the free movement of such data.

Data protection or free flow of data?

It seems clear that, at least occasionally, the right to the protection of personal data may conflict with a range of other freedoms, such as the free movement of personal data. Although conflicting views exist,^[1] the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.^[2]

In this regard, it has been convincingly noted that the fundamental rights to privacy, personality and data protection are the backbone of a free legal system and that there can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.^[3] Indeed, Recital 4 clearly states that “The processing of personal data should be designed to serve mankind”, not the opposite.

These aims can function as guiding principles to interpreting the GDPR, together with the data processing principles established in Article 5.^[4]

Natural persons

Further, Article 1(1) clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies or other legal entities. Non-EU citizens can rely on the GDPR as its application is independent of nationality or place of residence (see, Recital 2).

(2) Protection of Fundamental Rights and Freedoms

The wording of Article 1(2) offers interesting insights into the protective scope of the GDPR. According to this provision, the Regulation generally protects the fundamental rights and freedoms of the individual as well as “in particular” the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives.

First, they “simply” protect personal data. For example, Article 35 requires controllers to conduct Data Protection Impact Assessments, and Article 32 obliges them and any processor to implement adequate technical and organizational safeguards regarding the processing. However, the very same rules seem to concurrently be aimed at protecting other “fundamental rights and freedoms”.^[5]

The list of fundamental rights and freedoms protected by the GDPR is not defined. Certainly, one can refer to the Charter of Fundamental Rights of the European Union (“the Charter”). The Charter, which is EU primary law, provides for “the right to the protection of personal data” of a natural person under Article 8(1). Some requirements to the processing of data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. Another essential reference seems to be Article 7 of the Charter, which concerns the right to respect for “private and family life” and “communications”.

However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the Charter do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.^[6]

(3) Free Movement of Personal Data

Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection.

This provision accepts that processing of personal data may be essential for certain economic activities and therefore becomes relevant to the functioning of the EU internal market, which is recognised as an area of free trade of goods, services and capital. Consequently, it appears that where the use of personal data gives rise to the offer of a service, the data protection regulations cannot lead to a limitation in the provision of that service.

A particularly rigid reading of such provision could open the door to a proprietary conception of personal data. However, such an approach seems dogmatically incorrect. This is not only because our identity is not tradeable, but also because it seems to conflict with the very logic of the GDPR, whose main purpose is precisely to control and eventually block the unconditional use of personal data. Indeed, all the provisions concerning the principles of processing (transparency, minimisation, fairness), legal bases, the rights of the data subject and the various obligations related to the security of processing seem to be unequivocally going in this direction.

Let us assume that a controller located in one European country X decides to outsource, under Article 28 GDPR, part of its processing activities to a processor located in another Member State. After a technical assessment, the controller concludes that the processor is unable to provide “sufficient safeguards to implement appropriate technical and organisational measures”. The communication of data in this case will not take place because it would breach data protection law.

In this sense, the text of Article 1(3) GDPR does not seem sufficiently precise and should be interpreted in a GDPR-consistent fashion. In particular, under paragraph 3, the free movement of personal data cannot be limited or restricted outside the cases expressly provided for by the GDPR and any other applicable European or national law.

Finally, Article 1(3) facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.

Decisions

→ You can find all related decisions in Category:Article 1 GDPR

References

↑ Scorza, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).
↑ Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, Hijmans, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).
↑ Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).
↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).
↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).
↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).

[1] Scorza, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).

[2] Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, Hijmans, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).

[3] Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).

[4] Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).

[5] Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).

[6] Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).

[1]

[2]

[3]

[4]

[5]

[6]

@@ Line 204: / Line 204: @@
 ==== Data protection or free flow of data? ====
-It seems clear that, at least occasionally, the right to the protection of personal data may conflict with a range of other freedoms, such as the free movement of personal data. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021).</ref>
+It seems clear that, at least occasionally, the right to the protection of personal data may conflict with a range of other freedoms, such as the free movement of personal data. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref>
 In this regard, it has been convincingly noted that the fundamental rights to privacy, personality and data protection are the backbone of a free legal system and that there can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''The processing of personal data should be designed to serve mankind''”, not the opposite.
@@ Line 218: / Line 218: @@
 First, they “simply” protect personal data. For example, Article 35 requires controllers to conduct Data Protection Impact Assessments, and Article 32 obliges them and any processor to implement adequate technical and organizational safeguards regarding the processing. However, the very same rules seem to concurrently be aimed at protecting other “''fundamental rights and freedoms''”.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref>
-The list of fundamental rights and freedoms protected by the GDPR is not defined. Certainly, one can refer to the Charter of Fundamental Rights of the European Union (“the Charter”). The Charter, which is EU primary law, provides for “''the right to the protection of personal data''” of a natural person under Article 8(1). Some requirements to the processing of data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation,<ref>The impact of the Charter on the drafting of the GDPR can be observed from the changes made to the draft version of Article 6(4) GDPR following criticism from the Working Party 29. The Council had proposed that a controller could further process data, even if the purpose of the processing was incompatible with the original purpose, as long as the controller had an overriding interest – something the Working Party 29 objected to by pointing out that the principle of purpose limitation is part of primary law. See, Article 29 Data Protection Working Party, "Press release on Chapter II of the draft regulation for the March JHA Council", ''Press Release'', 17 March 2015 (available [https://ec.europa.eu/justice/article-29/press-material/press-release/art29_press_material/2015/20150317__wp29_press_release_on_on_chapter_ii_of_the_draft_regulation_for_the_march_jha_council.pdf here])</ref> as well as lawfulness. Another essential reference seems to be Article 7 of the Charter, which concerns the right to respect for “''private and family life''” and “''communications''”.
+The list of fundamental rights and freedoms protected by the GDPR is not defined. Certainly, one can refer to the Charter of Fundamental Rights of the European Union (“the Charter”). The Charter, which is EU primary law, provides for “''the right to the protection of personal data''” of a natural person under Article 8(1). Some requirements to the processing of data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. Another essential reference seems to be Article 7 of the Charter, which concerns the right to respect for “''private and family life''” and “''communications''”.
 However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the Charter do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref>