04 July 2023
Chiara D’Elia – Stefano Tramacere
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation “GDPR”)
The General Data Protection Regulation “GDPR” (Reg. EU n. 679/2016) is designed to harmonise personal data protection laws within the EU by shaping a modern and coherent framework for data protection, facilitating its free movement. The text is part of the multilevel and multisectoral regulatory strategy to establish rules for data access and data sharing. It has an extraterritorial application.
The main objective is to foster the free circulation of data, by strengthening individuals’ control over their personal information by introducing important new rights and obligations.
Starting with the adoption of the proclaimed principles of “privacy by default” and “privacy by design”, by which the necessary protection of personal data is pushed to be incorporated into the architecture and use of technologies, innervating the rule on technology, the GDPR develops a risk-based approach. This implies, for instance, that if a processing operation poses a high risk to the rights and freedoms of natural persons, data controllers must provide an impact assessment (so-called “DPIA”) and keep documentation of the processing activities performed.
All the innovations contained in the GDPR go along with an opportune and welcome change of perspective that can be summarized in the shift from a static vision to a dynamic one, i.e. from a dimension composed of defined fulfilments, to a logic of choosing the appropriate technical and organisational measures in relation to the specificity of the activity performed. An approach that tries to mitigate risks and ensure an effective and accountable system.
The GDPR has facilitated the development of a risk-based approach towards data processing activities, shifting the paradigm from a proprietary perspective requiring consent for all data processing activities to an approach based on establishing data governance and maintaining the data subjects’ control on their information.