Article 1 GDPR: Difference between revisions

From GDPRhub
No edit summary
(14 intermediate revisions by 3 users not shown)
Line 196: Line 196:
==Relevant Recitals==
==Relevant Recitals==
<span id="r1">
<span id="r1">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 1:''' Data Protection as a Fundamental Right</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 1:''' Data protection as a fundamental right</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
Line 202: Line 202:


<span id="r2">
<span id="r2">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 2:''' Respect of the Fundamental Rights and Freedoms</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 2:''' Respect of fundamental rights and freedoms</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.
Line 208: Line 208:


<span id="r3">
<span id="r3">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 3:''' Directive 95/46/EC Harmonisation</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 3:''' Directive 95/46/EC </div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Directive 95/46/EC of the European Parliament and of the Council¹ seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.
Directive 95/46/EC of the European Parliament and of the Council¹ seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.
Line 214: Line 214:


<span id="r4">
<span id="r4">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 4:''' Data Protection in Balance with Other Fundamental Rights</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 4:''' Balancing data protection against other fundamental rights</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
Line 220: Line 220:


<span id="r5">
<span id="r5">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 5:''' Cooperation Between Member States to Exchange Personal Data</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 5:''' Cooperation and exchange of personal data between national authorities  </div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.
The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.
Line 226: Line 226:


<span id="r6">
<span id="r6">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 6:''' Ensuring a High Level of Data Protection Despite the Increased Exchange of Data</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 6:''' Data protection in the context of technological developments and globalisation</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Line 232: Line 232:


<span id="r7">
<span id="r7">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 7:''' The Framework is Based on Control and Certainty</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 7:''' Strong and coherent data protection framework</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.
Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.
Line 238: Line 238:


<span id="r8">
<span id="r8">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 8:''' Adoption into National Law</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 8:''' Adoption into national law</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.
Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.
Line 244: Line 244:


<span id="r9">
<span id="r9">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 9:''' Different Standards of Protection by the Directive 95/46/EC</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 9:''' Fragmented implementation of Directive 95/46/EC</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
Line 250: Line 250:


<span id="r10">
<span id="r10">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 10:''' Harmonised Level of Data Protection Despite National Scope</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 10:''' Homogeneous application and member states' margin of manoeuvre</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.
Line 256: Line 256:


<span id="r11">
<span id="r11">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 11:''' Harmonisation of the Powers and Sanctions</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 11:''' Rights, obligations, and enforcement powers</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.
Line 262: Line 262:


<span id="r12">
<span id="r12">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 12:''' Authorization of the European Parliament and the Council</div>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 12:''' TFEU</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.
Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.
Line 268: Line 268:


==Commentary==
==Commentary==
===(1) Subject-matter===
===Subject-matter (Article 1(1))===
The GDPR has two main aims: (i) the protection of natural persons with regard to the [[Article 4 GDPR#2|processing]] of their [[Article 4 GDPR#1|personal data]], and (ii) the free movement of personal data. It can therefore function as a guiding principle to the interpretation of the GDPR together with the principles found in [[Article 5 GDPR|Article 5]].  
Article 1(1) establishes the GDPR's two main aims: (i) the protection of natural persons with regard to the [[Article 4 GDPR#2|processing]] of their [[Article 4 GDPR#1|personal data]], and (ii) the free movement of personal data. These aims can function as guiding principles to interpreting the GDPR, together with those found in [[Article 5 GDPR|Article 5]].  


It follows from the definition of personal data (→ see [[Article 4 GDPR|Article 4]]) that the GDPR applies to the processing of data concerning "natural persons". Processing data concerning a business normally falls outside the scope of the GDPR.
Article 1(1) and Article 4(1) also clarify that the GDPR applies to the processing of personal data concerning ''natural'' persons. It does not apply to the processing of data belonging to companies or other legal entities.


===(2) Protecting fundamental rights===
===Protecting fundamental rights (Article 1(2)) ===
The right to the protection of personal data is specifically mentioned in paragraph 2. This general statement is operationalized in the more specific articles throughout GDPR, for example in [[Article 35 GDPR|Article 35]], which lays down the obligation to conduct a Data Protection Impact Assement. The obligation to implement adequate technical safeguards to protect personal data can be found in [[Article 32 GDPR|Article 32]]. The rights provided in Chapter III can also be seen as a prerequisite for natural persons to ensure that their fundamental rights are being respected.
Article 1(2) specifically states that the GDPR protects natural persons' fundamental right to the protection of personal data. This is operationalized in the more specific articles throughout GDPR, for example in [[Article 35 GDPR|Article 35]], which lays down the obligation to conduct a Data Protection Impact Assessment. The obligation to implement adequate technical safeguards to protect personal data can be found in [[Article 32 GDPR|Article 32]]. The rights provided in Chapter III can also be seen as a prerequisite for natural persons to ensure that their fundamental rights are being respected.


====Fundamental rights====
The fundamental right of a natural person to the protection of their personal data can be found in Article 8 of the Charter of Fundamental Rights of the European Union ('the Charter')<ref>https://fra.europa.eu/en/charterpedia/article/8-protection-personal-data</ref> and Article 8 of the European Convention on Human Rights.<ref>https://echr.coe.int/Documents/Convention_ENG.pdf</ref>


The fundamental rights of a natural person to the protection of their personal data can be found in Article 8 EU Charter of Fundamental Rights<ref>https://fra.europa.eu/en/charterpedia/article/8-protection-personal-data</ref> and Article 8 of the European Convention on Human Rights.<ref>https://echr.coe.int/Documents/Convention_ENG.pdf</ref>
The Charter, which is EU primary law, provides in Article 8(1) for “the right to the protection of personal data” of a natural person. Some requirements to the processing of this data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation, as well as states that processing must be pursuant to a lawful basis such as consent.  


The Charter, which is primary law, provides in Article 8(1) for “the right to the protection of personal data” of a natural person.  
The impact of the Charter on the drafting of the GDPR can be observed from the changes made to the draft version of [[Article 6 GDPR#4|Article 6(4)]] following criticism from the Article 29 WP. The Council had proposed that a [[Article 4 GDPR#7|controller]] could further process data, even if the purpose of the processing was incompatible with the original purpose, as long as the controller had an overriding interest – something the Article 29 WP objected to by pointing out that the [[Article 5 GDPR#1b|principle of purpose limitation]] is part of primary law. <ref>Article 29 Data Protection Working Party, [https://ec.europa.eu/justice/article-29/press-material/press-release/art29_press_material/2015/20150317__wp29_press_release_on_on_chapter_ii_of_the_draft_regulation_for_the_march_jha_council.pdf "Press release on Chapter II of the draft regulation for the March JHA Council"], ''Press Release'', 17 March 2015</ref>


Some requirements to the processing of this data follows from Article 8(2) EU Charter of Fundamental Rights, where the principles of fairness and purpose limitation are explicitly mentioned, and that the processing must be pursuant to a lawful basis, for instance consent.  
Data protection pursuant to Article 8 of the Charter is closely connected to Article 7 of the Charter, which concerns the right to respect for “private and family life” and “communications”.


The importance of the Charter on the drafting of the GDPR can be observed from the changes made to the draft version of [[Article 6 GDPR#4|Article 6(4)]] following criticism from the Article 29 WP. The Council had proposed that a [[Article 4 GDPR#7|controller]] could further process data, even if the purpose of the processing was incompatible with the original purpose, as long as the controller had an overriding interest – something the Article 29 WP objected to by pointing out that the [[Article 5 GDPR#1b|principle of purpose limitation]] is part of primary law. <ref>Article 29 Data Protection Working Party, [https://ec.europa.eu/justice/article-29/press-material/press-release/art29_press_material/2015/20150317__wp29_press_release_on_on_chapter_ii_of_the_draft_regulation_for_the_march_jha_council.pdf "Press release on Chapter II of the draft regulation for the March JHA Council"], ''Press Release'', 17 March 2015</ref>
===Free movement of personal data (Article 1(3))===
The requirement for the free movement of personal data within the EU reflects the aim of European integration. Article 1(3) recognizes that personal data is part of the European single market and that personal data is a good that can be traded. It aims to facilitate the trading of personal data in the European single market, and is thus in line with the free movement of goods, capital, services and labour within the EU.


Data protection pursuant to Article 8 EU Charter is closely connected to Article 7 EU Charter, which concerns the right to respect for “private and family life” and “communications”.
Article 1(3) also facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.
 
→ ''See also [[Article 1 GDPR#r1|Recital 1]]''
 
→ ''See also [[Article 1 GDPR#r2|Recital 2]]''
 
===(3) Free movement of personal data===
The free movement of personal data may appear to reflect the purpose of European integration. It recognizes that personal data is part of the European single market and therefore personal data is considered to be a good that can be traded. The GDPR thus aims to facilitate the trading of personal data in the European single market. Article 1(3) is thus in line with the free movement of goods, capital, services and labour within the EU. Article 1(3) reflects the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V.


==Decisions==
==Decisions==

Revision as of 13:45, 4 May 2021

Article 1: Subject-matter and objectives
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 1: Subject-matter and objectives

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Relevant Recitals

Recital 1: Data protection as a fundamental right

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.

Recital 2: Respect of fundamental rights and freedoms

The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

Recital 3: Directive 95/46/EC

Directive 95/46/EC of the European Parliament and of the Council¹ seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States.

Recital 4: Balancing data protection against other fundamental rights

The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

Recital 5: Cooperation and exchange of personal data between national authorities

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and undertakings across the Union has increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.

Recital 6: Data protection in the context of technological developments and globalisation

Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.

Recital 7: Strong and coherent data protection framework

Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

Recital 8: Adoption into national law

Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.

Recital 9: Fragmented implementation of Directive 95/46/EC

The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

Recital 10: Homogeneous application and member states' margin of manoeuvre

In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. Regarding the processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation. In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions. This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful.

Recital 11: Rights, obligations, and enforcement powers

Effective protection of personal data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States.

Recital 12: TFEU

Article 16(2) TFEU mandates the European Parliament and the Council to lay down the rules relating to the protection of natural persons with regard to the processing of personal data and the rules relating to the free movement of personal data.

Commentary

Subject-matter (Article 1(1))

Article 1(1) establishes the GDPR's two main aims: (i) the protection of natural persons with regard to the processing of their personal data, and (ii) the free movement of personal data. These aims can function as guiding principles to interpreting the GDPR, together with those found in Article 5.

Article 1(1) and Article 4(1) also clarify that the GDPR applies to the processing of personal data concerning natural persons. It does not apply to the processing of data belonging to companies or other legal entities.

Protecting fundamental rights (Article 1(2))

Article 1(2) specifically states that the GDPR protects natural persons' fundamental right to the protection of personal data. This is operationalized in the more specific articles throughout GDPR, for example in Article 35, which lays down the obligation to conduct a Data Protection Impact Assessment. The obligation to implement adequate technical safeguards to protect personal data can be found in Article 32. The rights provided in Chapter III can also be seen as a prerequisite for natural persons to ensure that their fundamental rights are being respected.

The fundamental right of a natural person to the protection of their personal data can be found in Article 8 of the Charter of Fundamental Rights of the European Union ('the Charter')[1] and Article 8 of the European Convention on Human Rights.[2]

The Charter, which is EU primary law, provides in Article 8(1) for “the right to the protection of personal data” of a natural person. Some requirements to the processing of this data follow from Article 8(2) of the Charter, which explicitly mentions the principles of fairness and purpose limitation, as well as states that processing must be pursuant to a lawful basis such as consent.

The impact of the Charter on the drafting of the GDPR can be observed from the changes made to the draft version of Article 6(4) following criticism from the Article 29 WP. The Council had proposed that a controller could further process data, even if the purpose of the processing was incompatible with the original purpose, as long as the controller had an overriding interest – something the Article 29 WP objected to by pointing out that the principle of purpose limitation is part of primary law. [3]

Data protection pursuant to Article 8 of the Charter is closely connected to Article 7 of the Charter, which concerns the right to respect for “private and family life” and “communications”.

Free movement of personal data (Article 1(3))

The requirement for the free movement of personal data within the EU reflects the aim of European integration. Article 1(3) recognizes that personal data is part of the European single market and that personal data is a good that can be traded. It aims to facilitate the trading of personal data in the European single market, and is thus in line with the free movement of goods, capital, services and labour within the EU.

Article 1(3) also facilitates the harmonization of data protection across EU, as well as Iceland, Liechtenstein and Norway as part of the European Economic Area (EEA). Restrictions to transfers to non-EU/EEA countries (third countries) follow from Chapter V GDPR.

Decisions

→ You can find all related decisions in Category:Article 1 GDPR

References