You can access the official legal text of GDPR via the European Union’s legal database at eur-lex.europa.eu.
Legal Foundations and Legislative Context of the General Data Protection Regulation (EU) 2016/679
Regulation (EU) 2016/679 of the European Parliament and of the Council was adopted on 27 April 2016. It aims to protect individuals in the processing of personal data and to ensure the free movement of such data across the European Union. This Regulation replaces Directive 95/46/EC and applies to the European Economic Area. Its legal foundation is Article 16 of the Treaty on the Functioning of the European Union. The legislative process began with a proposal from the European Commission, was reviewed by national parliaments, and considered the opinions of both the European Economic and Social Committee and the Committee of the Regions. It was adopted through the ordinary legislative procedure.
Recital (1): Fundamental Right to Data Protection
Natural persons have a fundamental right to the protection of their personal data. This right is established and guaranteed by foundational legal provisions within the European Union framework.
Recital (2): Universal Application and Goals
The protection of individuals in relation to personal data processing must uphold their fundamental rights and freedoms, regardless of their nationality or place of residence.
The regulation aims to support the development of a unified space characterized by freedom, security, and justice, promote economic and social advancement, enhance the integration of national economies within the internal market, and improve the welfare of individuals.
Recital (3): Directive 95/46/EC Background
Directive 95/46/EC was established to align the protection of individuals’ fundamental rights and freedoms concerning personal data processing, while also facilitating the unrestricted movement of such data across EU Member States.
Recital (4): Balancing Rights
Personal data processing should be oriented toward benefiting humanity. The entitlement to data protection is not unlimited; it must be weighed against its societal role and harmonized with other essential rights based on proportionality. The regulation upholds all fundamental rights and acknowledges the liberties and values embedded in the European Union’s legal framework, including privacy, communication, personal data protection, freedom of belief and expression, business activity, legal recourse, fair trial, and cultural and religious diversity.
Recital (5): Cross-Border Data Flow
The internal market’s growth has led to a notable rise in cross-border personal data exchanges. Public and private entities increasingly share data across the EU, and national authorities are required to cooperate under Union law to fulfill their responsibilities.
Recital (6): Technological Challenges
Technological advances and globalisation have intensified challenges in protecting personal data. Data collection and sharing have surged, with individuals and institutions exchanging information on a broad scale. As technology reshapes society, it also facilitates cross-border data flows—requiring robust safeguards to remain in place.
Recital (7): Need for Coherent Framework
The evolving digital landscape calls for a unified and enforceable data protection system across the EU to build trust in the internal market. Individuals must retain control over their personal data, and clarity in legal and operational terms should be improved for citizens, businesses, and public institutions.
“Natural persons should have control of their own personal data. Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced”.
Recital (8): National Law Integration
When the Regulation allows Member States to define or limit its rules through national law, they may include parts of the Regulation in their own legislation to ensure consistency and clarity for those affected.
Recital (9): Fragmentation and Risk
Although the core aims of Directive 95/46/EC remain valid, its implementation has led to inconsistencies across the EU. These variations have created legal uncertainty and public concern, especially regarding online data protection. Uneven levels of personal data safeguards among Member States hinder the free movement of data, disrupt economic activity, distort competition, and complicate the work of authorities under EU law. These disparities stem from differences in how the directive has been applied and enforced nationally.
Recital (10): Harmonization and Flexibility
To ensure consistent personal data protection across the EU, Member States must apply equivalent standards while retaining flexibility to clarify rules for legal, public, or official purposes. National laws may address specific sectors and sensitive data, but must align with the Regulation’s framework.
“This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).”
Recital (11): Enforcement and Rights
Strong EU-wide data protection requires clear individual rights, defined responsibilities for data handlers, equal enforcement powers, and consistent penalties across Member States.
Recital (12): Legislative Mandate
Article 16(2) TFEU tasks the European Parliament and Council with setting rules for personal data protection and its free movement.
Recital (13): Legal Certainty and SME Consideration
To ensure uniform data protection and avoid barriers to free data flow within the EU, a Regulation provides legal clarity, equal rights, and responsibilities across Member States. It also allows record-keeping exemptions for businesses with under 250 employees.
“The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
“To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.”
Leave a Reply