Article 1 GDPR: Difference between revisions

From GDPRhub
 
(19 intermediate revisions by 12 users not shown)
Line 184: Line 184:
|}
|}


==Legal Text==
==Legal Text ==


<br /><center>'''Article 1: Subject-matter and objectives'''</center>
 
'''Article 1: Subject-matter and objectives'''


<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span>
<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span>
Line 200: Line 201:
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref>
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref>


===(1) Subject-Matter===
===(1) Subject-matter===
Article 1(1) establishes the GDPR's two main aims of the GDPR. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR.   
Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR.   


==== Data protection and the free flow of data ====
==== Data protection and the free flow of data ====
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would for example prohibit that personal data flows to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote><u>Example:</u> If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. This could limit commercial options for a German company in France.</blockquote>Consequently the GDPR is tasked with providing a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref>   
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would, for example, prohibit the transfer of personal data to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote>{{Quote-example|If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. Such national limitations would limit the European common market.}}
</blockquote>Consequently the GDPR aims to provide a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref>   


==== Limit to natural persons ====
====Limit to natural persons====
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of  data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref>
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the GDPR does not apply to the processing of  data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref>


However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the "Peter Smith Limited" company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about "Peter Smith Limited" can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is professionally used by Peter Smith can be linked to Peter Smith and therefore relates to a natural person.</blockquote>You can find more details about the scope of the term "personal data" under [[Article 4 GDPR|Article 4(1) GDPR]].
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - ''Salvatore Manni'']].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote>{{Quote-example|If the 'Peter Smith Limited' company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about 'Peter Smith Limited' can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is used professionally by Peter Smith can be linked to Peter Smith and therefore relates to a natural person. It does not matter if this person acts in a commercial or private capacity.}}


==== Human rights approach ====
You can find more details about the scope of the term 'personal data' under [[Article 4 GDPR|Article 4(1) GDPR]].</blockquote>
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.<blockquote><u>Example:</u> A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.</blockquote>While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].
====Human rights approach====
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.
<blockquote>{{Quote-example|A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.}}</blockquote>
While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].


===(2) Protection of Fundamental Rights and Freedoms ===
===(2) Protection of fundamental rights and freedoms===
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as “''in particular''the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. One the one hand, the protection of personal data - which may not come as a surprise. At the same time, the legislator took the view that the protection of personal data also (indirectly) protects other “''fundamental rights and freedoms''”.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref>  
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases [[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|C‑293/12 and C‑594/12 - ''Digital Rights Ireland'']] - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote>


==== Protection of the fundamental right to data protection ====
====Protection of the fundamental right to data protection====
Article 8(1) CFR provides for “''the right to the protection of personal data''” of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness.  
Article 8(1) CFR provides for 'the right to the protection of personal data' of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness.  


==== Protection of other fundamental rights and freedoms ====
====Protection of other fundamental rights and freedoms====
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. It concerns the right to respect for “''private and family life''” and “''communications''” and is distinct and often broader than the right to data protection in Article 8 CFR.
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. This concerns the right to respect for 'private and family life' and 'communications' and is distinct from, and often broader than, the right to data protection in Article 8 CFR.
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are a backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''The processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote><u>Example:</u> A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person has to fear that her political believes get known to her employer, spouse or friends, she may not actually vote for her real convictions.</blockquote>The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''the processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote>{{Quote-example|A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person is afraid that her political beliefs may become known to her employer, spouse or friends, she may not actually vote according to her true convictions.}}
==== Conflicts with other fundamental rights ====
The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.</blockquote>
====Conflicts with other fundamental rights====
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests.   
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests.   


Recital 4 highlights that the right to data protection has to be balanced against these other interests and fundamental rights, but that they were already taken into consideration when the GDPR was drafted. There is consequently no need to "balance" the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests.   
Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests.  <blockquote>{{Quote-common-mistake|Some lawyers argue that the GDPR would have to be 'balanced' with the right to conduct a business under Article 16 CFR. However, Article 16 CFR has a limited scope and e.g. ensures that everyone can open a business and can decide over business partners. There is also only a freedom to conduct a business 'in accordance with community law' - not in violation of community law (such as the GDPR).}}
 
While there is no general balancing test, the GDPR foresees specific flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref></blockquote>
The GDPR foresees flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on the freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to restrict the GDPR insofar as these restrictions are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref>
====Interpretation in light of fundamental rights====
 
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights.<blockquote>In  [[CJEU - C-311/18 - Schrems II|C-311/18 - ''Schrems II'']] on data transfers from the EU to the US, where secret services can access such personal data, the CJEU has highlighted that the GDPR must be interpreted in light of the CFR. This is not only limited to the right to data protection in Article 8 CFR and the closely related right to privacy in Article 7 CFR, but for example also includes the right to an effective remedy and to a fair trial under Article 47 CFR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> </blockquote>{{Quote-CJEU|"[T]he interpretation of EU law and examination of the legality of EU legislation must be undertaken in the light of the fundamental rights guaranteed by the Charter […]".|CJEU - C-311/18 - Schrems II|99.}}
Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests should be preferred<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> to uphold the "''high level of protection''" foreseen by the GDPR. CJEU case law holds useful examples of the current state of play. The court has for example held that terrorist prevention does not allow to keep meta data of phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref> Equally, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they equally apply to the private actors, given that the GDPR must be interpreted in light of the CFR. <blockquote><u>Example:</u> If Article 8 CFR prohibits governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities collect communication data for purposes like fraud prevention as a legitimate interest that would override the right to data protection, given that that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote>Some commentators have highlighted that Recital 4 also refers to the freedom to conduct a business under Article 16 CFR -  indicating that this would allow to limit the GDPR at times. However, Article 16 CFR is generally understood to only protect the right to start a business and to manage own resources. It is closely related to the right to choose an occupation and the right to engage in work in Article 15 CFR.<ref>''Bezemek'', in Holoubek/Lienbacher, GRC-Kommentar, Article 16, marginal numbers 6 and 7 (MANZ 2014).</ref> Article 16 CFR also clarifies that any business must be conducted "''in accordance with Union law and national laws''". The GDPR is one of these laws and can consequently not be overridden via Article 16 CFR.
This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR could not be sustained. This also allows the application of the proportionality test under Article 52(1) CFR, which often leads to a clear answer when interpreting the GDPR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref>
 
==== Interpretation in light of fundamental rights ====
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights, as repeatedly held by the CJEU.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR would could not be sustained. This also allows to apply the proportional test under Article 52(1) CFR to many GDPR cases.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref>
 
In its case law, the CJEU has also repeatedly stressed ,<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous Directive 95/46/EC) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This clause was regularly used to come to a more protective interpretation of the GDPR by the CJEU. The clause "''high level of protection''" is taken from Recitals 6 and 10 of the GDPR.
 
===(3) Free Movement of Personal Data===
Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection.


This provision accepts that processing of personal data may be essential for certain economic activities and therefore becomes relevant to the functioning of the EU internal market, which is recognised as an area of free trade of goods, services and capital. Consequently, it appears that where the use of personal data gives rise to the offer of a service, the data protection regulations cannot lead to a limitation in the provision of that service.
In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR.


A particularly rigid reading of such provision could open the door to a proprietary conception of personal data. However, such an approach seems dogmatically incorrect. This is not only because our identity is not tradeable, but also because it seems to conflict with the very logic of the GDPR, whose main purpose is precisely to control and eventually block the unconditional use of personal data. Indeed, all the provisions concerning the principles of processing (transparency, minimisation, fairness), legal bases, the rights of the data subject and the various obligations related to the security of processing seem to be unequivocally going in this direction.
Existing CJEU case law contains useful examples of the current state of play. In the joined cases [[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|C‑293/12 and C‑594/12 - ''Digital Rights Ireland'']] the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref>


Let us assume that a controller located in one European country X decides to outsource, under Article 28 GDPR, part of its processing activities to a processor located in another Member State. After a technical assessment, the controller concludes that the processor is unable to provide “''sufficient safeguards to implement appropriate technical and organisational measures''. The communication of data in this case will not take place ''because'' it would breach data protection law.
Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote>{{Quote-example|If in the joined cases [[CJEU - C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others|C‑293/12 and C‑594/12 - ''Digital Rights Ireland'']] the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR.}}</blockquote>
===(3) Free movement of personal data===
Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. 


In this sense, the text of Article 1(3) GDPR does not seem sufficiently precise and should be interpreted in a GDPR-consistent fashion. In particular, under paragraph 3, the free movement of personal data cannot be limited or restricted outside the cases expressly provided for by the GDPR and any other applicable European or national law.
The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore.  


Finally, Article 1(3) facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.
Non-EU/EEA countries do not benefit from the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.<ref>See for example CJEU in C-364/14 ''Schrems I'' and [[CJEU - C-311/18 - Schrems II|C-311/18 ''Schrems II'']].</ref> The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ('third countries') can be found in Chapter V of the GDPR. <blockquote>{{Quote-example|When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. However, when a Spanish controller is using a Swiss provider, there needs to be an additional legal basis for these data flows.}}
</blockquote>There is an ongoing discussion on whether the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory - that are under the effective control of an EEA controller or processor - would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question of whether the controlling entity falls under the territorial scope in [[Article 3 GDPR]]), not a data-based approach (focusing on the question of whether the data is physically staying in the EEA).<ref>See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.</ref> The wording of the GDPR does not seem to support an entity-based approach.<ref>Article 1(3) GDPR focuses on the "''movement of personal data within the Union''", Article 44 GDPR equally regulated the "''transfer of personal data''", not the transfer to an entity that is not governed by the GDPR.</ref> At the same time, however, the definition of the GDPR's territorial scope of application is explicitly uncoupled from the question of whether the processing 'takes place in the Union or not' (cf. Art. 3(1)).
<references />


==Decisions==
==Decisions==

Latest revision as of 10:34, 29 October 2024

Article 1: Subject-matter and objectives
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text

Article 1: Subject-matter and objectives

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Relevant Recitals

Recital 1: The Right to Data Protection as a Fundamental Right
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

Recital 2: Respect of Fundamental Rights and Freedoms
The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Recital 3: Directive 95/46/EC Harmonisation Goal
Directive 95/46/EC of the European Parliament and of the Council seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.

Recital 4: Balance Against Other Fundamental Rights
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Recital 5: Cross-Border Cooperation for the Exchange of Personal Data
The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.

Recital 6: Technological Transformation to Ensure a High Level of Protection
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

Recital 7: Control Over Own Personal Data
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

Recital 8: National Implementation
Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

Recital 9: Fragmentation under Directive 95/46/EC
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

Recital 10: Equivalent Level of Protection and Homogeneous Application
In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

Recital 11: Strengthening of Rights and Enforcement
Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Recital 12: Article 16(2) TFEU Mandate
Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.

Commentary

Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.[1]

(1) Subject-matter

Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR.

Data protection and the free flow of data

The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would, for example, prohibit the transfer of personal data to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.

Example-icon.png

For example: If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. Such national limitations would limit the European common market.

Consequently the GDPR aims to provide a common level of protection, allowing personal data to flow freely within the European common market.[2]

Limit to natural persons

Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the GDPR does not apply to the processing of data belonging to companies, public bodies or other legal entities.[3]

However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in C-398/15 - Salvatore Manni.[4]

Example-icon.png

For example: If the 'Peter Smith Limited' company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about 'Peter Smith Limited' can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is used professionally by Peter Smith can be linked to Peter Smith and therefore relates to a natural person. It does not matter if this person acts in a commercial or private capacity.


You can find more details about the scope of the term 'personal data' under Article 4(1) GDPR.

Human rights approach

Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.[5] This is also in line with Article 8 CFR ("Everyone has the right to the protection of personal data") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.

Example-icon.png

For example: A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.

While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in Article 3 GDPR.

(2) Protection of fundamental rights and freedoms

According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.[6]

Case Law: In the joined cases C‑293/12 and C‑594/12 - Digital Rights Ireland - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter".

Protection of the fundamental right to data protection

Article 8(1) CFR provides for 'the right to the protection of personal data' of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness.

Protection of other fundamental rights and freedoms

Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. This concerns the right to respect for 'private and family life' and 'communications' and is distinct from, and often broader than, the right to data protection in Article 8 CFR.

However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.[7][8] The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.[9] Indeed, Recital 4 clearly states that “the processing of personal data should be designed to serve mankind”, not the opposite.

Example-icon.png

For example: A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person is afraid that her political beliefs may become known to her employer, spouse or friends, she may not actually vote according to her true convictions.

The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.

Conflicts with other fundamental rights

Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests.

Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests.

Common mistakes-icon.png

Common mistake: Some lawyers argue that the GDPR would have to be 'balanced' with the right to conduct a business under Article 16 CFR. However, Article 16 CFR has a limited scope and e.g. ensures that everyone can open a business and can decide over business partners. There is also only a freedom to conduct a business 'in accordance with community law' - not in violation of community law (such as the GDPR).

While there is no general balancing test, the GDPR foresees specific flexible provisions, like the recognition of legitimate interests in Article 6(1)(f) GDPR which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like Article 85 on freedom of speech or Article 86 on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.[10]

Interpretation in light of fundamental rights

The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights.

In C-311/18 - Schrems II on data transfers from the EU to the US, where secret services can access such personal data, the CJEU has highlighted that the GDPR must be interpreted in light of the CFR. This is not only limited to the right to data protection in Article 8 CFR and the closely related right to privacy in Article 7 CFR, but for example also includes the right to an effective remedy and to a fair trial under Article 47 CFR.[11]

CJEU-icon.png

"[T]he interpretation of EU law and examination of the legality of EU legislation must be undertaken in the light of the fundamental rights guaranteed by the Charter […]".

CJEU - C-311/18 - Schrems II, margin number 99..


This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR could not be sustained. This also allows the application of the proportionality test under Article 52(1) CFR, which often leads to a clear answer when interpreting the GDPR.[12]

In its case law, the CJEU has also repeatedly stressed[13] that the GDPR (and the previous Directive 95/46/EC) is aiming for a "high level of protection".[14] This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,[15] the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,[16] in order to uphold the this high level of protection foreseen by the GDPR.

Existing CJEU case law contains useful examples of the current state of play. In the joined cases C‑293/12 and C‑594/12 - Digital Rights Ireland the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.[17]

Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees[18] or recipients of subsidies.[19] While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.

Example-icon.png

For example: If in the joined cases C‑293/12 and C‑594/12 - Digital Rights Ireland the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under Article 6(1)(f) GDPR for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR.

(3) Free movement of personal data

Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws.

The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore.

Non-EU/EEA countries do not benefit from the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.[20] The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ('third countries') can be found in Chapter V of the GDPR.

Example-icon.png

For example: When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. However, when a Spanish controller is using a Swiss provider, there needs to be an additional legal basis for these data flows.

There is an ongoing discussion on whether the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory - that are under the effective control of an EEA controller or processor - would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question of whether the controlling entity falls under the territorial scope in Article 3 GDPR), not a data-based approach (focusing on the question of whether the data is physically staying in the EEA).[21] The wording of the GDPR does not seem to support an entity-based approach.[22] At the same time, however, the definition of the GDPR's territorial scope of application is explicitly uncoupled from the question of whether the processing 'takes place in the Union or not' (cf. Art. 3(1)).

  1. Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).
  2. See Recital 10
  3. See Recital 14
  4. CJEU in C-398/15 - Salvatore Manni, paragraph 34 with further references.
  5. See Recital 2 GDPR
  6. Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).
  7. See Recital 4
  8. Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).
  9. Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).
  10. See for example Article 23 GDPR
  11. See for example CJEU in C-311/18 - Schrems II, paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.
  12. See for example CJEU in C-311/18 - Schrems II, paragraphs 174, 178 and 185.
  13. See for example C-40/17 Fashion ID, paragraph 50, with further references to C‑101/01 Lindqvist, C‑524/06 Huber or C‑468/10 and C‑469/10 ASNEFF and FECEMD
  14. See Recital 6 and 10
  15. Scorza, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).
  16. Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, Hijmans, in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).
  17. See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland
  18. See CJEU in C-465/00 Österreichischer Rundfunk.
  19. See CJEU in Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke und Eifert.
  20. See for example CJEU in C-364/14 Schrems I and C-311/18 Schrems II.
  21. See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.
  22. Article 1(3) GDPR focuses on the "movement of personal data within the Union", Article 44 GDPR equally regulated the "transfer of personal data", not the transfer to an entity that is not governed by the GDPR.

Decisions

→ You can find all related decisions in Category:Article 1 GDPR

References