Article 8 of the Charter of Fundamental Rights of the European Union, embedded in Chapter II (“Freedoms“), recognises the right to data protection as an independent right:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
The right exists as well in the Treaties: according to Article 16.1 TFUE,
1. Everyone has the right to the protection of personal data concerning them.
In the secondary legislation, already in the 1990s some pieces had been enacted in relation to natural persons‘ data, with the double objective of harmonising the protection of the right in respect of processing activities and ensuring the free flow of data between the Member States. The most relevant pieces of legislation in this regard were Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data; 2 and Directive 97/66/EC on the processing of personal data and the protection of privacy in the telecommunications sector. The latter was repealed in 2002 by Directive 2002/58/EC, on privacy and electronic communications (” the ‘cookies’ Directive “), amended in turn in 2009 by Directive 2009/136/EC. The former was repealed by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), which entered into force in 2016 and is fully applicable since 25 May 2018.
The Preamble to the GDPR acknowledges that the principles underlying Directive 95/46/CE remain sound. This notwithstanding, the need was felt to repeal the Directive and enact new rules for two reasons. First of all, rapid technological developments and globalisation had brought new challenges for the protection of personal data.