Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became effective on 25 May 2018. With the regulatory form the legislator raised the regulation of the right to the protection of personal data within the European Union to a higher level. The legislative act has a fundamental impact on the legal systems of the member states showing various differences from each other. Further, it can be stated as a general experience that the right to the protection of personal data and the nature of such right are less known either to those affected or to the data controllers. The new legislative act and the penalties with increased amounts [Article 84 of the GDPR] demand the elaboration of a study understandable for laics, too. Finally, as a result of the General Data Protection Regulation, the institution system ensuring the protection of personal data has fundamentally changed, so, therefore, it is also necessary to examine the authorities of the member states and the Union, as well. The study primarily approaches the occurring problems from the practice side. Accordingly, the examination conducted by the Commission nationale de l’informatique et des libertes (CNIL) against Google is described, as the first significant penalty imposed based on the General Data Protection Regulation. The first part of the study is intended to present the right to the general protection of personal data. The historical part addresses in details the major elements of the historical development of data protection and the development of its contents, with particular regard to the appearance of the right to information self-determination based on the so-called “census-judgement” of 1983 of the BVerfG (Federal Constitutional Court of Germany). Finally, this part touches upon the theories defined in connection with the historical generations of the right to the protection of personal data. After the historical part the study addresses the peculiarities of the right to the protection of personal data, paying particular attention to separation from the neighbouring legal areas. The second part is intended to present the prevalence of the right to information self-determination according to the GDPR. It is the institution system protecting personal data that has undergone the most significant change. The Work Group under Article 29 has been replaced by the Data Protection Agency set up based on the GDPR. Setting up the Agency, enlarging its scope of authority and its stronger independence from the executive powers of the Union can, by all means, be evaluated positively. As regards the security of personal data, the practice, major directives and opinions of the Work Group under Article 29 have been examined. It is a significant step forward that the GDPR has made the sphere of special personal data more specific, promoting by this the increase of the extent of protection. It is important that, as a general rule, the Regulation forbids controlling special personal data. The definition of the concept of personal data is an essential condition for understanding the regulation. In addition to the principles of controlling personal data, the legal fundaments of data control have particular significance, with special regard to the consent and the data control necessary for performing the contract. In my view, the consent is a legal fundament of auxiliary nature for data control, which is also supported by the opinions of the Work Group, too. Granting the consent and the individual excluding circumstances occurring in connection with this, were examined on a case-by-case basis. In my opinion, the automated decision making process and the regulation of profile creation are one of the most cardinal issues of the GDPR. The way in which profiles are created, their use and the permissibility of such use are discussed in details. In my view, the regulation of the GDPR is deficient as regards the automated decision making process and the profile creation. The decision making necessary for performing the contract is not separated sharply enough, and it is not necessary for this. In my opinion, in respect of this latter sphere of cases the GDPR is not strict enough and may easily serve as a basis for misuse on the part of data controllers. In my view, granting the consent should be made stricter in respect of creating profiles and the introduction of the (contradictable) legal presumption of refusal would also be desirous.
Read full abstract