Article 1 GDPR
|← Article 1: Subject-matter and objectives →|
Legal Text[edit | edit source]
Article 1: Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Relevant Recitals[edit | edit source]
Commentary[edit | edit source]
Article 1 GDPR draws a first general framework regarding the processing of personal data in Europe. Paragraph 1 defines the two main objectives of the Regulation which are, on the one hand, the protection of the individual's personal data and, on the other, the facilitation of the principle of the free movement of such data. Paragraph 2 enshrines the protection of the individual's fundamental rights and freedoms, especially if connected to their personal data. Finally, Paragraph 3 clarifies that the free movement of personal data may not be prohibited or restricted for reasons relating to the protection of personal data.
(1) Subject-Matter[edit | edit source]
Article 1(1) establishes the GDPR's two main aims. From one side, it aims at protecting natural persons with regard to the processing of their personal data. On the other side, it recognizes the EU internal market interest in the free movement of such data.
Data protection or free flow of data?[edit | edit source]
It seems clear that, at least on some occasions, the right to the protection of personal data may conflict with other freedoms, not only individual freedoms, such as the free movement of personal data. Although there is no uniformity of views, we feel we must adhere to the approach that gives the right to data protection prevalence over other interests that are also legally relevant.
In this regard, it has been convincingly noted that the fundamental rights of privacy, personality and data protection are to be classified as the backbone of the fundamental rights and freedoms of a free legal system and that there can be no freedom where the individual is not in control of their data, i.e. feels observed, tracked and continuously assessed. After all, Recital 4 itself clearly states that “The processing of personal data should be designed to serve mankind”, not the opposite.
Natural persons[edit | edit source]
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the Regulation does not apply to the processing of data belonging to companies or other legal entities. Non-EU citizens can rely on the GDPR as its application is independent of nationality or place of residence (see, Recital 2).
(2) Protection of Fundamental Rights and Freedoms[edit | edit source]
The wording of Article 1(2) offers interesting insights into the protective scope of the GDPR. Indeed, according to this provision, the Regulation protects – in general – the fundamental rights and freedoms of the individual as well as – “in particular” - the right to the protection of personal data. Therefore, the provisions of the GDPR on the protection of personal data seem to have two objectives.
On the one side, they “simply” protect personal data, as it happens, for instance, in Article 35, which lays down the obligation to conduct a Data Protection Impact Assessment, or in Article 32 which stipulates the obligation to implement adequate technical and organizational safeguards regarding the processing. At the same time, though, the very same rules seem to be aimed at protecting other “fundamental rights and freedoms”.
The list of fundamental rights and freedoms protected by the GDPR is not defined. Certainly, reference can be made to the Charter of Fundamental Rights of the European Union (“the Charter”). The Charter, which is EU primary law, provides in Article 8(1) for “the right to the protection of personal data” of a natural person. Some requirements to the processing of this data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation, as well as states that processing must be pursuant to a lawful basis such as consent. Another essential reference seems to be Article 7 of the Charter, which concerns the right to respect for “private and family life” and “communications”.
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the Charter do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact on other fundamental rights such as the right right of personality, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.
(3) Free Movement of Personal Data[edit | edit source]
Under Article 1(3) GDPR, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
This provision accepts that processing of personal data may be essential for certain economic activities and therefore becomes relevant to the functioning of the EU internal market, understood as an area of free trade of goods, services and capital. Consequently, the rule seems to say, where the use of personal data gives rise to the offer of a service, the data protection regulations cannot lead to a limitation in the provision of that service.
A particularly rigid reading of such provision could open the door to a proprietary conception of personal data. However, such an approach seems dogmatically incorrect, not only because our identity is not tradeable but also because it seems to conflict with the very logic of the GDPR, whose main purpose is precisely to control and eventually block the unconditional use of personal data. Indeed, all the provisions on the principles of processing (transparency, minimisation, fairness), legal bases, the rights of the data subject and the various obligations related to the security of processing seem to be unequivocally going in this direction.
Let us assume that a controller located in one European country X decides to outsource, under Article 28 GDPR, part of the processing to a processor located in another Member State. After a technical assessment, the controller concludes that the processor is unable to provide “sufficient safeguards to implement appropriate technical and organisational measures”. The transfer of data in this case will not take place precisely for reasons related to data protection law. In this sense, the text of Article 1(3) GDPR does not seem sufficiently precise.
It is therefore necessary to provide in paragraph 3 a systematic interpretation in the light of which the free movement of personal data cannot be limited or restricted outside the cases expressly provided for by the GDPR and any other applicable European or national law.
Article 1(3) also facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 1 GDPR
References[edit | edit source]
- Scorza, in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).
- Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021).
- Hornung et al, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).
- Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).
- Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).
- The impact of the Charter on the drafting of the GDPR can be observed from the changes made to the draft version of Article 6(4) GDPR following criticism from the Working Party 29. The Council had proposed that a controller could further process data, even if the purpose of the processing was incompatible with the original purpose, as long as the controller had an overriding interest – something the Working Party 29 objected to by pointing out that the principle of purpose limitation is part of primary law. See, Article 29 Data Protection Working Party, "Press release on Chapter II of the draft regulation for the March JHA Council", Press Release, 17 March 2015 (available here)
- Hornung and Spiecker in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).