The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data is much more than a personal data regulation. It has a wide range of impacts, of different nature: substantive, procedural, and organisational ones. In each of these dimensions, it is the personal autonomy and the equilibrium of the relationship of individuals with those processing their data that are at stake, hence, the centrality that individual rights over their own data shall have. Nonetheless, the access, the flow, and the free movement of information, including personal data, are the essential foundations of a free and democratic society in which the freedoms and rights of individuals are guaranteed. Despite having the necessary premises to guarantee it, the GDPR carries the risk of being used by public authorities to condition the space for public freedoms.
TopIntroduction
The Regulation 2016/679 (GDPR) lays down rules on the protection of natural persons with regard to the processing of personal data and on the free movement of such data within the European Union. It intends to achieve a common protection of fundamental rights and freedoms of natural persons, in particular of their right to the protection of personal data, and to guarantee the free flow of data within the European Union (e.g., Recitals (1) and (2) and Article 1 of GDPR). On the one hand, it stresses the rights of data subjects that enable them to have more control over their own personal data, reducing power and information asymmetries between ordinary citizens and those who control the processing of their personal data (Orla Lynskey, 2020, p. 82). On the other hand, it specifies the obligations of those who process or determine the processing of personal data and reinforces the compliance and enforcement framework (e.g., Recital (11)).
However, the GDPR is much more than a personal data regulation. It has a wide range of different types of impacts, of diversified nature, substantive, procedural and organisational ones. Processing of personal data takes place in different dimensions of individuals' lives, on various grounds and in different ways. It intertwines with rights that enable people to have a value as a human being in public and social life1, like the right to freedom of expression and information, the right to freedom of peaceful assembly and to freedom of association and freedom of thought, conscience and religion2. It is about protection of fundamental rights and freedoms of natural persons, mobilised either within the same protective framework or as competitors. This aspect is highlighted by the GDPR and it renews the need to discuss the scope of the right to data protection3. It also justifies renewed attention to some classic categories of law disciplines, as responsibility and consent.
The GDPR involves organisational changes. These relate to the monitoring and enforcement architecture of personal data regulation, to the internal organisation of controllers and processors and to the collaborative governance regime (Kaminski, 2019, p. 195) that it involves. The GDPR implies also procedural modifications related to the way personal data are processed in the light of its structural principles and with the exercise of procedural rights, like the right to rectification or the right to erasure. The organisational and procedural aspects are designed to guarantee the protection of personal data, but they correspondingly shape the guarantee of the right of data protection, the balancing with other rights, and also the way to understand it.
The present study aims to highlight the cross-cutting effect of the GDPR, the triple and interrelated substantive, procedural and organisational impacts of it and how considering these is important to understand the right to the protection of personal data and to safeguard the exercise of fundamental rights and freedoms. Firstly, the main differences between the GDPR and the repealed Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (DPD) are outlined. Then, organisational and procedural aspects are considered, stressing its role towards the substantive dimension of data protection. In third place, the focus is on the substantive aspects, mainly, looking at the GDPR clarification of the nature of the right to protection of personal data, and at the relevance of its core principles. Both are an important tool for protection of fundamental rights and freedoms of natural persons.