GDPR Subject-Matter and Objectives
This content is specifically about the introductory provisions establishing the subject-matter and objectives of the GDPR, which is a distinct topic from general scope/definitions that deserves its own classification for regulatory framework documentation.
subject-matter objectives scope establishment regulatory purpose fundamental principles Article 1 GDPR regulation goals protection objectives
Overview
Legal Framework
Article 1 GDPR establishes the Regulation's subject-matter and objectives. It provides the legal framework for protecting fundamental rights and freedoms of natural persons, in particular the right to the protection of personal data, and for ensuring the free flow of personal data within the Union. The article sets out two primary aims: to protect these fundamental rights and to prevent restrictions on the free movement of data based on protection grounds, thereby harmonizing the level of protection across the EU. This dual objective addresses the fragmentation and legal uncertainty identified under the previous Directive, as noted in Recital 9.
Practical Application
The practical application of these objectives requires balancing data protection with other legal duties and fundamental freedoms. Case law clarifies the boundaries of this balancing act. For instance, the Digital Rights Ireland judgment confirms that any obligation to retain data constitutes an interference with private life rights under Article 7 of the Charter of Fundamental Rights (CFR), requiring strict necessity and proportionality assessments. Conversely, the Worten case demonstrates that processing can be lawful when necessary for compliance with a specific legal obligation, such as national labor laws, provided access is restricted to competent monitoring authorities. The commentary from Tekst & Commentaar further refines key concepts underpinning these objectives, noting, for example, that while 'criminal data' is not classified as 'special category data,' it is subject to similarly strict provisions, and that the term 'racial data' should be interpreted without accepting theories of distinct human races.
Key Considerations
- Harmonization vs. National Law: While the GDPR seeks uniformity, ensure compliance with any specific national legal obligations that mandate processing, as these can provide a lawful basis under Article 6(1)(c), subject to proportionality tests established in case law like Worten.
- Interference Assessment: Any systematic processing, especially involving state authority access or data retention, constitutes an interference with fundamental rights. Justifying such processing requires a documented, specific assessment of necessity and proportionality, referencing standards from rulings like Digital Rights Ireland.
Laws (21)
View all 21Case Law (10)
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Joint controllers: The administrator of a fan page hosted on Facebook is a controller as it is “taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page.” The fact that an administrator uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it fr
Peter Puškár v Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy
Puškár
Lawful Basis (Public Interest): Article 7(e) Directive 95/46 must be interpreted as not precluding the processing of personal data by the authorities of a Member State for the purpose of collecting tax and combating tax fraud such as that effected by drawing up the contested list in the main proceedings, without the consent of the data subjects, “provided that, first, those authorities were invested by the national legislation with tasks carried out in the public interest within the meaning of t
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if
DIGITAL RIGHTS IRELAND LTD V. IRELAND,
Digital Rights Ireland
Article 7 CFR: The obligation on providers of publicly available electronic communications services or public communications networks to retain data relating to a person’s private life and his communications in itself constitutes an interference with Article 7. Access of competent national authorities to the data constitutes a further interference with that right. Any limitation on the exercise of rights and freedoms laid down by the CFR must be provided by law, respect their essence and, subjec
WORTEN-EQUIPAMENTOS PARA O LAR SA V. ACT (AUTHORITY FOR WORKING CONDITIONS), 30.5.2013 (“WORTEN”)
Worten
Necessity/proportionality: Collection and processing of personal data contained in the record of working time to ensure compliance with national legislation relating to working conditions is lawful if it is necessary for compliance with a legal obligation to which the controller is subject. Access should be grated only to authorities having powers of monitoring compliance with legal requirements. An obligation to provide immediate access to the record could be necessary if it contributes to the
DENNEKAMP V. EUROPEAN PARLIAMENT, 23.11.2011 (“DENNEKAMPI”)
Dennekamp I
Balancing fundamental rights: Regulation 1049/2001 (access to documents) and Regulation 45/2001 (data protection) do not contain any provisions granting one primacy over the other, therefore full application of both should, in principle, be ensured. (¶¶ 23-24)
V & EDPS v. EUROPEAN PARLAMENT
V. v. Parliament
Article 8 (Respect for Private Life) of the ECHR: Article 8 ECHR on private life relates to a fundamental right which covers the right to secrecy of one’s medical state. The transfer of that data to a third party, even another EU institution, is an interference with that right, whatever the final use. Such interference may be justified if it is “in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of t
VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”)
Schecke
Interference with the fundamental rights of privacy and data protection: Chapter of Fundamental Rights (CFR) Article 52(1) accepts that limitations may be imposed on fundamental rights, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.) The CJEU concluded that by imposing an obligation to publish personal data rel
COMMISSION V. GERMANY, 9.Mar.2010 (“GERMANY”)
Germany
Independence of Supervisory Authorities: Independence means a status which ensures that the body concerned can act completely freely, without taking any instructions or being put under any pressure. The requirement of independence does not only concern the relationship between the supervisory authorities and the bodies subject to that supervision. The adjective “complete” implies a decision-making power independent of any direct or indirect external influence on the supervisory authority. DPAs m
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Direct applicability of Directive 95/46: Wherever provisions of a directive appear to be unconditional and sufficiently precise, they may, in the absence of implementing measures adopted within the prescribed period, be relied on against any incompatible national provision, or insofar as they define rights which individuals are able to assert against the State. (¶ 98)
Guidance (53)
View all 53Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Richtsnoeren 01/2020 inzake de verwerking van persoonsgegevens in het kader van verbonden voertuigen en mobiliteitsgerelateerde toepassingen
guidelines connected vehicles
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Versiegeschiedenis
guidelines meldplicht datalekken
Richtsnoeren 3/2022 betreffende het herkennen en vermijden van misleidende ontwerppatronen in de interfaces van socialemediaplatforms
guidelines misleidende ontwerppatronen
Deze richtsnoeren bieden praktische aanbevelingen aan aanbieders van sociale media als verwerkingsverantwoordelijken van sociale media, ontwerpers en gebruikers van socialemediaplatforms, over het beoordelen en vermijden van zogenaamde 'misleidende ontwerp patronen' in de interfaces van sociale media die inbreuk maken op de vereisten van de AVG. Daartoe beveelt de EDPB aan dat verwerkingsverantwoordelijken gebruikmaken van interdisciplinaire teams, bestaande uit onder meer ontwerpers, func...
Richtsnoeren 02/2021 inzake virtuele spraakassistenten
guidelines over virtuele spraakassistenten
Een virtuele spraakassistent ( virtual voice assistant , of VVA) betreft een dienst die spraakgestuurde opdrachten begrijpt en uitvoert, of indien nodig als tussenschakel optreedt naar andere IT-systemen. Tegenwoordig is een VVA als optie beschikbaar op de meeste smartphones, tablets en reguliere computers en sinds enkele jaren zelfs op losse apparaten zoals smartspeakers. Een VVA functioneert als schakel tussen de gebruiker en zijn apparaat of een online dienst zoals een zoekmachine...
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Versiegeschiedenis
guidelines accreditatie
Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679
guidelines afwijkingen van artikel 49
Richtsnoeren 8/2022 voor het bepalen van de leidende toezichthoudende autoriteit van de verwerkingsverantwoordelijke of de verwerker
guidelines bepalen leidende toezichthouder
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Versiegeschiedenis
Richtsnoeren 9/2020 inzake relevant en gemotiveerd bezwaar overeenkomstig Verordening 2016/679
Richtsnoeren 04/2021 voor gedragscodes als instrumenten voor doorgifte
Volgens artikel 46 van de AVG moeten verwerkingsverantwoordelijken/verwerkers passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die organisaties op grond van artikel 46 kunnen gebruiken voor doorgiften aan derde landen, onder meer door gedragscodes in te voeren als nieuw doorgiftemechanisme (artikel 40, lid 3, en artikel 46, lid 2, punt ...
Richtsnoeren 01/2021
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
News (13)
EDPB identifies challenges hindering the full implementation of the right to erasure
Brussels, 18 February - The European Data Protection Board (EDPB) has adopted a report on its Coordinated Enforcement Framework (CEF) action on the right to be forgotten (Art.17 GDPR). The Board selected this topic as it is one of the most frequently exercised GDPR rights and one about which DPAs frequently receive complaints from individuals. The main objectives of this coordinated action are to ensure that the right to erasure is effectively exercised by individuals in Europe and understand ho
Jongeren denken mee over toezicht AP
Op de Europese dag van de privacy op 28 januari organiseerde de Autoriteit Persoonsgegevens (AP) een sessie met jongeren. Afgevaardigden van verschillende jongerenpartijen en -verenigingen kwamen langs bij de AP om te praten over privacy-onderwerpen die jongeren en jongvolwassenen bezighouden.
Legacy Switches: A Proposal to Protect Privacy, Security, Competition, and the Environment from the Internet of Things
Georgetown University Law Center researchers propose that every IoT device manufacturer build a switch into their devices that disables any smart feature that contributes to security or privacy risks. This will render a smart thermostat just a thermostat and a smart doorbell just a doorbell, and will disable microphones, sensors, and wireless connectivity. Any user should find it easy to use and easy to verify whether the switch has been toggled.
DMA and GDPR: EDPB and European Commission endorse joint guidelines to clarify common touchpoints
Brussels, 09 October - The European Data Protection Board (EDPB) and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the General Data Protection Regulation (GDPR). These are the first joint guidelines by the Board and the European Commission. In line with its 2024-2027 Strategy and the recent Helsinki Statement’s objectives to make GDPR compliance easier and strengthen consistency, the EDPB has cooperated with the European Commission,
Artificial intelligence: the action plan of the CNIL
The main thing is: The CNIL has been undertaking work for several years to anticipate and respond to the issues raised by AI. In 2023, it will extend its action on augmented cameras and wishes to expand its work to generative AIs, large language models and derived applications (especially chatbots). Its action plan is structured around four strands: to understand the functioning of AI systems and their impact on people; enabling and guiding the development of privacy-friendly AI; federate and
An analysis of Dutch case law: what factors play a role in awarding (or not) and determining the extent of damages under the GDPR?
Since May 2018, the GDPR has been directly applicable in the European Economic Area, including the member states of the European Union, Liechtenstein, Norway, and Iceland. Four years later, awarding damages for GDPR violations is still not a common practice in the Netherlands, despite the fact that news reports regularly mention data breaches and other GDPR violations. This article analyzes Dutch case law over the past four years to see what factors may influence the awarding of damages under th
CJEU clarifies GDPR principles of purpose limitation and storage limitation
The purpose limitation principle does not preclude a controller from capturing and storing in a test database established for testing and error correction purposes personal data previously collected and stored in another database. However, such "further processing" of personal data must be compatible with the specific purposes for which the personal data were originally collected. The principle of storage limitation precludes the retention of personal data in that test database for longer than n
Overview of EU Strategy for Data: Digital Services Act
> The Digital Services Act was published in the Official Journal of the European Union Oct. 27. The DSA, which harmonizes conditions for the provision of intermediary services and increases transparency requirements for online intermediaries, will enter into force Nov. 16. In the latest installment of a multipart series, the IAPP Research and Insights team provides privacy professionals with an overview of the DSA, including the law's objectives, key requirements and enforcement.
EU-US Privacy Framework needs a long hard look
The Commission has endorsed enthusiastically a recent US order to implement a new framework to protect the privacy of personal data shared between the US and Europe. Dick Roche begs to differ. https://iapp.org/news/a/the-redress-mechanism-in-the-privacy-shield-successor-on-the-independence-and-effective-powers-of-the-dprc/
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security
Regulating the Risks of AI
> This Article observes that constructing AI harms as risks is a choice with consequences. Risk regulation comes with its own policy baggage: a set of tools and troubles that have emerged in other fields. Moreover, there are at least four models for risk regulation, each with divergent goals and methods. Emerging conflicts over AI risk regulation illustrate the tensions that emerge when regulators employ one model of risk regulation, while stakeholders call for another.
EU-Hof: gegevens waaruit indirect de seksuele geaardheid van een persoon kan worden afgeleid vormen gevoelige gegevens in de zin van de AVG
The processing of personal data that may indirectly reveal sensitive information about an individual, such as information about their sexual orientation, may qualify as processing of "special categories of personal data" within the meaning of the AVG. The processing of such sensitive data is prohibited in principle. This is the EU Court's answer to questions from a Lithuanian judge.
EU-Hof: consumentenbeschermings-verenigingen mogen representatieve vorderingen instellen tegen inbreuken op de bescherming van persoonsgegevens
An association representing consumer interests may bring a representative action against the alleged perpetrator of a personal data breach. A specific breach of a data subject's right to the protection of his or her personal data is not required to bring such a claim. In addition, such a claim can be brought independently of whether a data subject has given an order to do so. This is the EU Court's answer to questions from a German court.