The data protection framework, protects individuals through their fundamental rights and freedoms, in particular the right to protection of personal data concerning them.
The right to the protection of personal data, in addition to the nature of a fundamental right as such, also plays a facilitating function in the protection of other fundamental rights as also inferred from the first regulatory passages.
Fundamental rights and freedoms are not only the framework within which the right to the protection of personal data is framed, but they are also the term of constant comparison for determining and evaluating the level of balancing that the discipline adopts in providing adequate protection for personal data.
Human Rights and Directive 95/46/EC
The Mother Directive recalled in its first Recitals that among the objectives of the Community is promoting the “democracy on the basis of the fundamental rights recognized in the constitution and laws of the Member States as well as in the European Convention for the Protection of Human Rights and Fundamental Freedoms,“ and that “data processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms“ further, that “the establishment and functioning of the internal market, (…), require not only that personal data should be able to flow freely from one Member State to another, but also that the fundamental rights of the individuals should be safeguarded“, whereby “the object of national laws relating to the processing of personal data is to protect fundamental rights and freedoms” [Recitals (1)-(3) and (10), Directive 95/46].
In the dispositive part of the directive, the incipit stated the following:
“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and particularly their right to privacy, with respect to the processing of personal data.” (Art. 1, Directive 95/46).
Human rights and privacy code
The 2003 Privacy Code, in its earlier version implementing the principles of the Mother Directive, had made two major choices to embed the right to personal data protection among the fundamental ones: it had recognized its entitlement to everyone indiscriminately (Art. 1 “Everyone has the right to the protection of personal data concerning him or her“); and had entrusted the subsequent Article 2 with the function of defining the range of values and legal goods within which this discipline operates (“ensures that the processing of personal data is carried out with respect for the fundamental rights and freedoms, as well as the dignity of the data subject, with particular reference to confidentiality, personal identity and the right to protection of personal data”).
Human Rights and GDPR
The GDPR retraces this path by making use of a syntheticity made possible by the legal instrument of the Charter, which specifically enumerates the right to personal data protection in its Article 8:
“2. This Regulation protects fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.” (Art. 1(2), GDPR).
Even more explicitly, Recital (4) reads as follows:
“This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”.