Article 1 GDPR: Difference between revisions
Line 207: | Line 207: | ||
==== Limit to natural persons ==== | ==== Limit to natural persons ==== | ||
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies or other legal entities.<ref>See Recital 14</ref> | Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref> | ||
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the "Peter Smith Limited" company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about "Peter Smith Limited" can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is professionally used by Peter Smith can be linked to Peter Smith and therefore relates to a natural person.</blockquote>You can find more details about the scope of the term "personal data" under [[Article 4 GDPR|Article 4(1) GDPR]] | However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the "Peter Smith Limited" company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about "Peter Smith Limited" can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is professionally used by Peter Smith can be linked to Peter Smith and therefore relates to a natural person.</blockquote>You can find more details about the scope of the term "personal data" under [[Article 4 GDPR|Article 4(1) GDPR]]. | ||
==== Human rights approach ==== | ==== Human rights approach ==== | ||
Line 219: | Line 219: | ||
==== The fundamental right to data protection ==== | ==== The fundamental right to data protection ==== | ||
Article 8(1) CFR provides for “''the right to the protection of personal data''” of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. | Article 8(1) CFR provides for “''the right to the protection of personal data''” of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. | ||
==== Other fundamental rights and freedoms ==== | ==== Other fundamental rights and freedoms ==== | ||
Line 230: | Line 227: | ||
Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> | Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> | ||
==== Interpretation in light of fundamental rights ==== | |||
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights, as repeatedly held by the CJEU.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR would could not be sustained. This also allows to apply the proportional test under Article 52(1) CFR to many GDPR cases.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref> | |||
In its case law, the CJEU has also repeatedly stressed ,<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous Directive 95/46/EC) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This clause was regularly used to come to a more protective interpretation of the GDPR by the CJEU. The clause "''high level of protection''" is taken from Recitals 6 and 10 of the GDPR. | |||
===(3) Free Movement of Personal Data=== | ===(3) Free Movement of Personal Data=== |
Revision as of 21:26, 3 August 2022
Legal Text
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Relevant Recitals
Commentary
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.[1]
(1) Subject-Matter
Article 1(1) establishes the GDPR's two main aims of the GDPR. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR.
Data protection and the free flow of data
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would for example prohibit that personal data flows to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.
Example: If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. This could limit commercial options for a German company in France.
Consequently the GDPR is tasked with providing a common level of protection, allowing personal data to flow freely within the European common market.[2]
Limit to natural persons
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies, public bodies or other legal entities.[3]
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in C-398/15 - Salvatore Manni.[4]
Example: If the "Peter Smith Limited" company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about "Peter Smith Limited" can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is professionally used by Peter Smith can be linked to Peter Smith and therefore relates to a natural person.
You can find more details about the scope of the term "personal data" under Article 4(1) GDPR.
Human rights approach
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.[5] This is also in line with Article 8 CFR ("Everyone has the right to the protection of personal data") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.
Example: A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.
While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in Article 3 GDPR.
(2) Protection of Fundamental Rights and Freedoms
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as “in particular” the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. One the one hand, the protection of personal data - which may not come as a surprise. At the same time, the legislator took the view that the protection of personal data also (indirectly) protects other “fundamental rights and freedoms”.[6]
The fundamental right to data protection
Article 8(1) CFR provides for “the right to the protection of personal data” of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness.
Other fundamental rights and freedoms
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. It concerns the right to respect for “private and family life” and “communications” and is distinct and often broader than the right to data protection in Article 8 CFR.
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.[7][8] The fundamental rights to privacy, personality and data protection are a backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.[9] Indeed, Recital 4 clearly states that “The processing of personal data should be designed to serve mankind”, not the opposite.
Example: A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person has to fear that her political believes get known to her employer, spouse or friends, she may not actually vote for her real convictions.
The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.
Conflicts with other fundamental rights
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests or security interests.
Although conflicting views exist,[10] the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred.[11]
Interpretation in light of fundamental rights
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights, as repeatedly held by the CJEU.[12] This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR would could not be sustained. This also allows to apply the proportional test under Article 52(1) CFR to many GDPR cases.[13]
In its case law, the CJEU has also repeatedly stressed ,[14] that the GDPR (and the previous Directive 95/46/EC) is aiming for a "high level of protection".[15] This clause was regularly used to come to a more protective interpretation of the GDPR by the CJEU. The clause "high level of protection" is taken from Recitals 6 and 10 of the GDPR.
(3) Free Movement of Personal Data
Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection.
This provision accepts that processing of personal data may be essential for certain economic activities and therefore becomes relevant to the functioning of the EU internal market, which is recognised as an area of free trade of goods, services and capital. Consequently, it appears that where the use of personal data gives rise to the offer of a service, the data protection regulations cannot lead to a limitation in the provision of that service.
A particularly rigid reading of such provision could open the door to a proprietary conception of personal data. However, such an approach seems dogmatically incorrect. This is not only because our identity is not tradeable, but also because it seems to conflict with the very logic of the GDPR, whose main purpose is precisely to control and eventually block the unconditional use of personal data. Indeed, all the provisions concerning the principles of processing (transparency, minimisation, fairness), legal bases, the rights of the data subject and the various obligations related to the security of processing seem to be unequivocally going in this direction.
Let us assume that a controller located in one European country X decides to outsource, under Article 28 GDPR, part of its processing activities to a processor located in another Member State. After a technical assessment, the controller concludes that the processor is unable to provide “sufficient safeguards to implement appropriate technical and organisational measures”. The communication of data in this case will not take place because it would breach data protection law.
In this sense, the text of Article 1(3) GDPR does not seem sufficiently precise and should be interpreted in a GDPR-consistent fashion. In particular, under paragraph 3, the free movement of personal data cannot be limited or restricted outside the cases expressly provided for by the GDPR and any other applicable European or national law.
Finally, Article 1(3) facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.
Decisions
→ You can find all related decisions in Category:Article 1 GDPR
References
- ↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).
- ↑ See Recital 10
- ↑ See Recital 14
- ↑ CJEU in C-398/15 - Salvatore Manni, paragraph 34 with further references.
- ↑ See Recital 2 GDPR
- ↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).
- ↑ See Recital 4
- ↑ Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).
- ↑ Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).
- ↑ Scorza, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).
- ↑ Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, Hijmans, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).
- ↑ See for example CJEU in C-311/18 - Schrems II, paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.
- ↑ See for example CJEU in C-311/18 - Schrems II, paragraphs 174, 178 and 185.
- ↑ See for example C-40/17 Fashion ID, paragraph 50, with further references to C‑101/01 Lindqvist, C‑524/06 Huber or C‑468/10 and C‑469/10 ASNEFF and FECEMD
- ↑ See Recital 6 and 10