Teisė ISSN 1392-1274 eISSN 2424-6050
2025, vol. 135, pp. 118–127 DOI: https://doi.org/10.15388/Teise.2025.135.7
Teisės aktualijos / Problems of Law
Rostyslav Prystai
ORCID iD: https://orcid.org/0000-0002-8980-1650
Graduate of the Law Faculty, Vilnius University
2nd year PhD student
Ivan Franko National University of Lviv
Sichovykh Striltsiv 14, 79017 Lviv, Ukraine
Tel.: +(370) 632 89255
E-mail: rostyslaw.law@gmail.com
Rostyslav Prystai
(Vilnius University (Lithuania))
(Ivan Franko National University of Lviv (Ukraine))
Summary. The institute of personal data protection currently functions as a relatively separate group of legal norms aimed at protecting rights related to the processing of personal data. The immediate object of its protection is personal data, hence the right to protection of personal data and the right to private life of a person which are in a close relationship. This relationship is expressed in the practice of national courts, ECHR, CJEU, etc., which interpret these rights differently (as lex specialis or equivalent rights). The Institute for the protection of personal data under GDPR also has its own characteristics and reflects the vision of the European legislator regarding their correlation and protection. However, the lack of scientific emphasis and the difficulty in defining the boundary and relationship between data protection and privacy still has an impact on law enforcement and creates a need for research of the institution of personal data protection. The article examines the peculiarities of data protection as a separate legal institution and its relationship with the privacy protection. The obtained results can be used for further scientific research and practical application.
Keywords: personal data protection, right to privacy, legal institution, General Data Protection Regulation.
Rostyslav Prystai
(Vilniaus universitetas (Lietuva))
(Lvivo nacionalinis Ivano Franko universitetas (Ukraina))
Santrauka. Asmens duomenų apsaugos institutas – gana atskira teisės normų grupė, kurios tikslas – ginti teises, susijusias su asmens duomenų tvarkymu. Tiesioginis jo apsaugos objektas yra asmens duomenys, taigi teisė į asmens duomenų apsaugą ir teisė į privatų gyvenimą artimus santykius palaikančio asmens. Šis santykis išreiškiamas nacionalinių teismų, EŽTT, ESTT ir kt. teisinių institucijų praktikoje, kurios šias teises interpretuoja skirtingai (kaip lex specialis arba lygiavertes teises). Asmens duomenų apsaugos pagal Bendrąjį duomenų apsaugos reglamentą (GDPR) institutas taip pat turi savo ypatybių ir atspindi Europos įstatymų leidėjo viziją dėl jų sąsajų ir apsaugos. Tačiau mokslinio akcentavimo trūkumas ir duomenų apsaugos bei privatumo ribos ir santykio apibrėžimo sunkumai vis dar turi įtakos teisėsaugai ir sukuria poreikį atlikti asmens duomenų apsaugos institucijos tyrimus. Straipsnyje nagrinėjami duomenų apsaugos, kaip atskiro teisės instituto, ypatumai ir jo santykis su privatumo apsauga. Gauti rezultatai gali būti panaudoti tolesniems moksliniams tyrimams ir praktiniam pritaikymui.
Pagrindiniai žodžiai: asmens duomenų apsauga, teisė į privatumą, teisinė institucija, Bendrasis duomenų apsaugos reglamentas.
____________
Received: 14/10/2024. Accepted: 31/03/2025
Copyright © 2025 Rostyslav Prystai. Published by Vilnius University Press
This is an Open Access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Personal data protection and the protection of the person’s private life (also known as the right to privacy – the two terms will be used interchangeably) are two types of legal activity that serve to protect the private life of a person1,2,3. In order to effectively ensure the common goal and, in particular, even despite it, data protection also possesses independent goals, and therefore its regulatory framework and actual implementation has a different embodiment. In practice, such differentiation may raise questions regarding the choice of the optimal way to protect the rights and interests of a person in case of personal data and/or privacy violation, as well as the proper and consistent application of the personal data, and privacy protection legislation by the courts.
Some problems that arise as a result of a misunderstanding of the legal nature and relationship of such institutes as personal data protection and the protection of the right to privacy are:
– incorrect choice of the body to whom the data subject appeals (e.g., filing an appeal to the national data protection authorities (DPAs) instead of bringing a claim to the court or vice versa);
– incorrect choice of the privacy/personal data protection strategy (e.g., filing an appeal to the court to protect a person’s private life by filing a claim for the protection of personal data (with a change of the object of protection and the formulation of claims);
– non-application of the legislation on the protection of personal data by the courts when deciding cases on the protection of a person’s private life where it is necessary (for example, the only application of civil legislation in cases where a violation of a person’s private life occurred as a result of an act that falls under the General Data Protection Regulation (hereinafter – GDPR), which makes it more difficult to find out the fact of violation of a person’s private life and ignores administrative responsibility of the controller or processor who violated the requirements of the GDPR)4;
– in other cases.
Therefore, in order to improve the quality of the law enforcement practice, a detailed study and description of the peculiarities of the personal data protection institution and relationship between the protection of personal data and privacy is necessary. Clear, unambiguous understanding of the distinctive features of personal data protection will help to properly explain the reasons and necessity for its different legal regulation, the rights and interests of the participants of legal relations, and therefore, to correctly determine the object of the protection in a specific case as well as the methods of such protection.
The object of the research is personal data protection as a legal institution.
The subject of the research focuses on the specific legal nature of data protection in relation to privacy protection, including its aim, applicability, theoretical and practical distinctions between them.
The aim of the article is the clarification of the legal nature of data protection institution and its interrelationship with privacy protection, its aim and applicability. To achieve the presently stated aim, the following tasks should be implemented:
– investigation of the formation of personal data protection as a separate institution of legal activity with the use of historical-legal research methodology;
– investigation of the modern institution of personal data protection within the EU for the presence of homogeneity of legal norms;
– investigation of the theoretical and practical features of personal data protection as separate conceptual phenomena with the use of descriptive and comparative methodology;
– description of the personal data institution’s independent or joint use with the institute of privacy (right to privacy, confidentiality of private life, etc.) protection.
According to the law theory, the institution of law should be understood as a system of relatively separate and interconnected legal norms that regulate a certain group (type) of homogeneous social relations (Skakun, 2001). These institutions of law may consist of legal norms of different branches, or be of inter-branch level, but their main purpose is to ensure continuous, relatively complete regulation of homogeneous relations. An example of such an institute is, in particular, the institute of personal data protection. In order to outline such features as the separation and homogeneity of a group of legal norms, we consider it expedient to firstly use the method of historical analysis to research and prove the specified features during the institution formation.
The history of the institute for the protection of personal data begins with the adoption of the Universal Declaration of Human Rights in 1948 and the European Convention on Human Rights (The official website of the European Parliament. Briefing...), which were designed to prevent the recurrence of the same situation as surveillance, control and intelligence services in Nazi Germany and the German Democratic Republic. It is worth mentioning that, as part of such illegal activities, the German authority relied on collaboration with people, and got it in the form of denouncers, who sought rewards for spying on and incriminating anyone who opposed the State ideology. Citizens also took advantage of the Government’s system to hurt their personal enemies (Freude, C.H. and Freude, T., 2016). This example allows us to formulate a certain thesis: not only the fact of privacy violation in the form of illegal use of personal data can cause harm to the person, but also personal data distortion itself carries risks for the data subject. Even as of today, despite the fact that there may be no violation of a person’s private life in a particular situation, improper processing of personal data, their modification, distortion, etc., can create risks for data subjects.
Such risks, in particular, are notably relevant in the framework of data processing automation and file system formation. Large accumulation and automation of processing of personal data is typical for activities related to the public sphere (provision of services, creation of registers and databases) and the private sphere (for example, provision of services), whereas the price of an error may have an important impact on the legal situation (and sometimes the further fate) of the data subject. The author believes that this is one of the main properties of personal data as an object of protection, which became the basis for distinguishing the institute of personal data protection as a separate activity. Thus, in 1970, the world’s first data protection act was adopted in the German state of Hessen; in 1974, the state of Rhineland-Palatinate followed; and, in 1977, the Federal Data Protection Act was passed. The legislation was meant to protect personal data “against abuse in their storage, transmission, modification and deletion (data processing)5”. Subsequently, in 1981, the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108)6, as we can see from the very wording used in Article 1 (Object and Purpose), notably, the purpose of adopting the Convention was specifically to create conditions for observing rights and freedoms (in particular, but not only the right to inviolability of a person’s private life) with regard to the automatic processing of personal data7.
The institute later found its continuation and development in the Data Protection Directive 95/46/EC8, which became the main EU legal instrument for personal data protection prior to the GDPR. As stated in Recital 10, 11 of the Directive, the object of the national laws on the processing of personal data “is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law. For this purpose, approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community”. The principles of the protection of the rights and freedoms of individuals, notably, the right to privacy, which are contained in this Directive, give substance to, and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data. Thus, the purpose of the Directive was to expand the scope of protection of a person’s private life and other rights by developing a separate act which specifically regulates the protection of personal data.
We can observe that the institution of personal data protection in the 20th century was formed as a separate group of legal norms which were designed to protect personal data as a separate object of protection, along with other rights related to the processing of personal data, while emphasizing at the same time the protection of the right to privacy. The catalyst for the selection of separate legislation was technical progress, which revealed the special properties of data in the context of their impact on the rights of data subjects when processed by automated means9.
As of today, the institution of personal data protection also exists within the framework of separate legislation. At the EU level, the main acts of relevance are: the General Data Protection Regulation10, the Law Enforcement Directive11, Regulation on the protection of natural persons with regard to the processing of personal data by the Union institutions, offices and agencies and on the free movement of such data12, and the Directive concerning the processing of personal data and the protection of Privacy in the electronic communications sector13 (ePrivacy Directive). In order to distinguish the object of protection (as a criterion for determining the homogeneity of social relations related to the protection of personal data), its relative separation (partial independence) and interconnectedness, we shall outline the subject-matter and objectives of the specified acts in the form of a table (Table 1, see below).
Table 1. Subject matter, objective, and object of data protection acts
|
Normative act |
Subject-matter and objective |
Object |
|
GDPR |
Lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. |
The rights of natural persons with regard to the processing of personal data |
|
Regulation 2018/1725 |
Lays down rules relating to the protection of natural persons with regard to the processing of personal data by the Union institutions and bodies and rules relating to the free movement of personal data between them or to other recipients established in the Union. |
The rights of natural persons with regard to the processing of personal data by the Union institutions and bodies |
|
Law Enforcement Directive |
Lays down the rules relating to the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. |
The rights of natural persons with regard to the processing of personal data by competent authorities |
|
ePrivacy Directive |
Harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and, in particular, the right to privacy, with respect to the processing of personal data in the electronic communication sector. |
Fundamental rights and freedoms, and, in particular, the right to privacy, with respect to the processing of personal data in the electronic communication sector |
Thus, we can state the fact of the existence of a system of relatively separate and interconnected legal norms that regulate a certain group (type) of homogeneous (consisting of parts that are similar to each other or are the same14) social relations, which are aimed at protecting the rights of natural persons with regard to the processing of personal data within the EU.
Theoretical aspects. As we can see from the abovementioned legal acts, wordings regarding the purpose and social relations regulated make it possible to identify a certain uniformity of norms regulating the social relations related to the protection of personal data. Such uniformity, however, is not limited exclusively to the protection of a person’s private life based on the following factors:
1) the right to protect personal data includes: the right to protect information about a natural person from illegal access; the right to fair treatment of the data subject; the right to processing that is compatible with the purposes of the collection; the right to maintain accuracy and keep data up to date; the right to access data; the right to processing that ensures the security of personal data (protection against unauthorized or illegal processing and against accidental loss, destruction or damage), the right to apply to competent authorities for the purpose of protecting violated rights and interests, and other powers. By their nature, these powers are derived from the interests of the subjects of personal data, which at the same time a) contain the aspiration of the subject of personal data to privacy, autonomy, separation of one’s personal life from other subjects of legal relations; b) the desire of the data subject for proper handling of his personal data, which makes it impossible to take risks and further violation of his/her rights (the right to respect for human dignity, freedom of thought and conscience, freedom of worldview and religion, the right to health care, freedom of movement, property right, etc.15), as well as the desire for confidence in the latter, when a person is firmly convinced that the processing of his/her data will not lead to a violation of the specified interests;
2) the need for legal regulation of personal data protection in modern conditions has arisen on the basis of the introduction of automatic processing tools and large file systems and file cabinets, which, by their very nature, are a favorable environment for the violation of the rights of data subjects16. Such violations, in turn, would create an unfavorable economic environment within the EU market. Thus, the goal was to create a safe environment for personal data, which would have a positive impact on the economy of the Union. Directive 95/46/EC, and then the GDPR are aimed not only at directly protecting a person’s private life, but at creating an environment favorable to the protection of personal data, which consists in protecting personal data as the main object (its confidentiality, integrity and availability);
3) violation of the right to personal data protection, in itself, is not always a violation of the right to privacy. Thus, typical violations of the legislation on the protection of personal data include the use of insufficient technical and organizational measures to ensure information security. The use of improper measures creates risks for data leakage and possible violation of a person’s privacy, but, simultaneously, the privacy of the person is not yet affected in such cases. However, in this case, the right of a person to the protection of personal data is definitely violated, since there is an existing fact of inappropriate handling of personal information17.
Thus, legal protection in the sense of the EU legislation on data protection applies primarily to the personal data of a person, the processing of which may affect the realization of various categories of rights. This in no way negates the ultimate goal of protecting a person’s private life, but allows for the creation of an additional data protection mechanism which will protect both privacy and other rights and interests of data subjects. At the same time, we can observe that the institution of data protection developed objectively and temporally correctly in relation to social relations that arose in connection with the protection of personal data and the private life of a person. We agree that the protection of personal data as an institution, although aimed at protecting a person’s private life, is not limited to this goal, is more universal and should be distinguished as a separate institution of legal activity and an institution of legislation. We assume that the right to the protection of personal data in the context of automated processing can be distinguished as a separate phenomenon that is closely related to the right to privacy and cannot exist in isolation18.
We can observe that the protection of personal data as a legal institution has a secondary effect (protection of rights, freedoms and legitimate interests of data subjects in respect to the processing of personal data) and a primary effect (protection of rights, freedoms and legitimate interests of data subjects in the context of powers, which derive specifically from the right to data protection). The secondary effect clearly follows from the provisions of Article 1 of the Regulation, is extremely important, and cannot be carried out without ensuring the primary one, while the primary action is a direct consequence of the application of the GDPR norms and the legislation on the protection of personal data in the EU in general.
Both effects are ensured by the functioning of a specific system of material and procedural norms, which form the institution of personal data protection and are ensured by the activities of the relevant bodies. On the EU supranational level, these bodies, in particular, include: the European Commission, the European Data Protection Board (previously, Article 29 Working Party), and the European Data Protection Supervisor. On the domestic level, such bodies include: national data protection authorities, courts and data protection officers (DPOs).
Primary and secondary actions were the reason for the adoption of Regulation 2016/679. and for personal data protection legislation in general. However, in the context of automated data processing, the primary action was assumed to be directly applied, that is, the secondary effect must be achieved by implementing the primary one (this is the only way to protect personal data in the modern sphere and implement this protection, because the secondary action – the protection of privacy – is not always applicable to data protection, while data protection itself also serves another purpose).
The privacy protection sub-branch cannot fully accommodate the data protection institute, which is not only of a civil law nature, however, data protection as an institute can satisfy the needs of the civil law sub-branch (privacy protection) in full in the part that concerns protection of data (in particular, processed by automated means according to the GDPR). Therefore, the legislation on the protection of personal data is mainly applicable where relations by their nature require a primary effect, and where they require a secondary effect, the legislation on the protection of the right to private life may be applied (for example, provisions of the Civil Code) or the protection of privacy in interaction with data protection legislation (which depends on the applicability of the GDPR and similar national laws).
In cases where there are no automated data processing or filing systems, and when GDPR is not applicable, personal data is considered as a value and, as a consequence, the right to personal data protection cannot be ensured under the same normative regime (personal data protection institution under the GDPR). That is, horizontal relations between natural persons will be heavily affected (burdened) by such laws. Therefore, in such cases, GDPR provisions may be used only as principles/directions. At the same time, by their nature, powers which derive from the right to personal data protection cannot be fully secured by the common privacy protection legal norms while there exist personal data violations in horizontal relations. The legislative approach to establishing the protection of personal data in horizontal relations may consist of domestic judicial practice and interpretation of the right to privacy and personal data protection, or/and it may be based on domestic legislation on personal data protection, which shall establish specific rules which will allow to protect personal data separately from the right to privacy.
In order to correctly choose the method and strategy for the protection of privacy or personal data in each specific case, it is necessary to take into account the nature of the violation of personal data, its impact on data subject’s rights, in particular, privacy, and their relationship. It is also necessary to pay attention to the possibility of a lack of connection between a specific violation of privacy and the right to the protection of personal data, which is guaranteed by the General Data Protection Regulation. At the same time, the main criterion for the choice of a strategy by the data subject is the interest – it can be a necessity to urgently stop the violation, compensation for damages or another goal – and thus, in a procedure that at first glance is related to the protection of the private life of a person, it may be more profitable to file a complaint to DPA instead of filing a lawsuit and vice versa.
1) The Institute for the protection of personal data was historically formed as a separate group of legal norms that regulate the protection of personal data in connection with their automated processing, and it was formed simultaneously within the framework of various legal systems (European Union, member states, United Nations, the Council of Europe, OSCE, etc.);
2) The Institution for the protection of personal data currently exists as a group of legal norms that have a sufficient level of independence to define them as a separate institution and accommodate the legal activity which is not only a part of a sub-branch of civil law (based on the legal nature of rights to privacy and personal data protection);
3) The Institute for personal data protection has two directions of action, which are closely interrelated. The primary action serves to protect the right to personal data protection as a separate right, whereas the secondary action is aimed to protect rights and freedoms in respect to personal data processing. In this part, the personal data protection institution may have a character of lex specialis to the privacy protection institution. Two purposes, which are provided by the institute for the protection of personal data, make it useful both separately and in civil proceedings;
4) The interplay between personal data protection and the privacy rights underscores the need for distinct legal frameworks that address both automated and non-automated data processing contexts. Ultimately, the effectiveness of protecting personal data relies on strategic evaluation of the specific violation and the data subject’s interests, while ensuring that both data protection and privacy rights are adequately upheld.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981). Council of Europe, Strasbourg [online]. Available at: https://rm.coe.int/1680078b37.
Charter of Fundamental Rights of the European Union (2000), Official Journal of the European Union, 2012/C 326/02.
The European Parliament and Council of the European Union, 2016, Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Official Journal of the European Union, L 119/1 [online]. Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.
The European Parliament and Council of the European Union, 2018, Regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. Official Journal of the European Union, L 295/39 [online]. Available at: https://eur-lex.europa.eu/eli/reg/2018/1725/oj.
The European Parliament and Council of the European Union, 1995, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Union, 31995L0046.
The European Parliament and Council of the European Union, 2016, Directive 2016/680 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Official Journal of the European Union, L 119/89.
Federal Data Protection Act (BDSG), Germany (1977).
Nemzeti Adatvédelmi és Információszabadság Hatóság [CJEU], No. C-132/2, [12.01.2023], ECLI:EU:C:2023:2.
Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others [CJEU], No. C-293/12 and C-594/12, [08.04.2014], ECLI:EU:C:2014:238.
Decision of the Danish Data Protection Authority (Datatilsynet), 14.08.2024, Municipality of Vejen. GDPR Enforcement Tracker. Available at: https://www.enforcementtracker.com/ETid-2432.
Alvar, Freude, C.H., Freude, T. (2021). Echoes of History: Understanding German Data Protection, p. 85–91, Newpolitik.
Jurcys, P., Donewald, C., Fenwick, M., Lampinen, M., Smaliukas, A. (2020). Ownership of User-Held Data: Why Property Law Is The Right Approach. Harvard Journal of Law and Technology Digest [online]. Available at SSRN: https://ssrn.com/abstract=3711017
Skakun, O. F. (2001) Theory of the state and law: Textbook. 656 p. Kharkiv: Konsum.
The official website of th European Parliament. Briefing, EU policies – insights. European Union, 2020 [online]. Available at: https://www.europarl.europa.eu/RegData/etudes/BRIE/2020/651923.
Camridge Dictionary (2024). Definition of ‘Homogenity’, Cambridge University Press & Assessment.
|
Rostyslav Prystai obtained a Bachelor`s Degree in Law at the Ivan Franko National University of Lviv in 2021. In 2023, he obtained Master`s Degree in Law at the Ivan Franko National University of Lviv. In 2024, the author awarded a Master`s Degree in International and European Law at Vilnius University. The author started PhD studies at Lviv Ivan Franko National University, Faculty of Law. The main scientific interests of the author are: Personal Data & Privacy protection. Rostyslav Prystai 2021 m. įgijo teisės bakalauro, o 2023 m. – teisės magistro laipsnį Lvivo nacionaliniame Ivano Franko universitete. 2024 metais baigė tarptautinės ir Europos teisės magistro studijas Vilniaus universitete. Šiuo metu studijuoja Lvivo nacionalinio Ivano Franko universiteto Teisės fakulteto doktorantūroje. Pagrindinės autoriaus mokslinių interesų sritys – asmens duomenų ir privatumo apsauga. |
1 “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data” (Art. 1 of Directive 95/46/EC).
2 “This Directive harmonises the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community” (Art.1 of Directive 2002/58/EC).
3 “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects” (Rec. (75) of the Regulation (EU) 2016/679).
4 “The Budapest High Court asks the Court of Justice whether, in the context of reviewing the lawfulness of the decision of the national supervisory authority, it is bound by the final judgment of the civil courts concerning the same facts and the same alleged infringement, by the company concerned, of the GDPR. In addition, given that the parallel exercise of administrative and civil remedies could give rise to contradictory decisions, the Hungarian court seeks to ascertain whether one of those remedies might take priority over the other” (Judgment of the Court of Justice in Case C-132/2, Nemzeti Adatvédelmi és Információszabadság Hatóság).
5 Section 1 (1) of the Federal Data Protection Act, 1977.
6 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981). Strasbourg [online]. Available at: https://rm.coe.int/1680078b37.
7 The purpose of this Convention is “to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (‘data protection’)” (Art. 1 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data).
8 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [online]. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046.
9 Today, the specifics of personal data became even more complex and may be also considered as a property right, which opens news possibilities and options for its protection. See Jurcys, P.; Donewald, C.; Fenwick, M.; Lampinen, M.; Smaliukas, A. (2020). Ownership of User-Held Data: Why Property Law Is the Right Approach. Harvard Journal of Law and Technology Digest [online]. Available at SSRN: https://ssrn.com/abstract=3711017.
10 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj.
11 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [online]. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680.
12 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance) [online]. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018R1725.
13 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [online]. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058.
14 Cambridge Dictionary (2024). Definition of ‘Homogeneity’ and ‘Assessment’. Cambridge University Press.
15 “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular, the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity” (Rec. (4) of the GDPR).
16 “Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data” (Rec. (6) of the GDPR).
17 Decision of the Danish Data Protection Authority (Datatilsynet), 14.08.2024, Municipality of Vejen. GDPR Enforcement Tracker. Available at: https://www.enforcementtracker.com/ETid-2432.
18 The close relationship between the right to protection of personal data and the right to respect for private and family life also follows from the practice of the EU Court. The Court ruled that the protection of personal data, which results from the direct obligation set out in Article 8(1) of the EU Charter of Fundamental Rights, is of particular importance for the right to respect for private life (C-293/12 and C-594/12 Digital Rights Ireland, § 53). In decisions C-293/12 and C-594/12 Digital Rights Ireland, the ECJ recognized the obligation of providers of publicly available electronic communications services or public communications networks to retain data about a person’s private life and communications for a certain period of time as an interference with rights, guaranteed by Article 7 of the Charter of Fundamental Rights of the EU. At the same time, the ECJ ruled that the contested directive is also an interference with the fundamental right to the protection of personal data, guaranteed by Article 8 of the Charter, as it regulates the processing of personal data (§ 34–36 of the decision).