Of interest or interesting to the public? Legitimate interest in media and the journalistic derogation

(1)

Inês Amélia Pinto Ruivo

OF INTEREST OR INTERESTING TO THE PUBLIC? LEGITIMATE INTEREST IN MEDIA AND THE JOURNALISTIC DEROGATION

Dissertation to obtain a Master’s Degree in Law, in the speciality of Law and Financial Markets

Supervisor:

Prof. Dr. Francisco Coutinho, Professor of the NOVA School of Law

September 2022

(2)

OF INTEREST OR INTERESTING TO THE PUBLIC? LEGITIMATE INTEREST IN MEDIA AND THE JOURNALISTIC DEROGATION

Dissertation to obtain a Master’s Degree in Law, in the speciality of Law and Financial Markets

September 2022

(3)

I Anti-plagiarism Statement

I declare, by my honour, that all work presented is solely my own and that the contributions or texts of other authors are referenced as per Article 20-A of the 2^nd Cycle Regulations. Fully aware that the use of unidentified elements constitutes an ethics flaw and may lead to disciplinary action, the work is submitted as is.

Barreiro, September 2022

(4)

II Dedication

To those that guide and walk beside me; to the ones that I love that finished their path on Earth.

(5)

III Acknowledgements

Firstly, to Professor Dr. Francisco Coutinho, for his guidance and understanding, for accepting someone doing a Masters Degree in Law and Financial Markets but wanting to write a thesis about data protection, his teachings and mostly for believing my ‘all over the place idea’ could be turned into something worth writing about. Without his belief and support, this thesis would not be something that reflects who I am;

To Inês, my partner in crime, for endless conversations about everything and nothing, for always believing in me, may we carry on sharing our stories and writing the chapters together. You are bound to change the world. Glitter cannot wait to see you Sparkle(s). Cenouras;

To Inês, my Bambiis, the Grace to my Frankie, for the naps, the breaks singing Celine Dion during studying marathons, for all the laughs and tears we shared and are yet to share;

To Emily, the bestiest, for always letting me catch my breath and those movie like runs we do when we see each other. To the newly, and very cool, Mr and Mrs Singleton, thank you for the warmth of home, the patience and kindness;

To Bernardo for always answering the phone and having my back, for holding my coat, for the never ending amounts of coffee and cake;

To Dra Isabel Ludovico Leitão and Dr Manuel Leitão, for their love and teachings, for their kindness and guidance;

To those whose friendship, kindness and support have made the difference: Emeline Fragoso, Filipe Esteves, Henrique Bonifácio, Inês Ribeiro, Ellen Montgomery, Selin Friedli, Cristiana Barbosa, Maria Beatriz Costa, Micaela Ribeiro, Mariana Marinho.

To the “proper adults” that let me act like a kid if I feel like it and have always welcomed me with open arms: Cristina and Francisco Moura, Alda and Nuno Silva, Linda and Mark Barsi;

And lastly to my entire family, but especially my close family:

To my blended family, Lurdes, Catarina and Beatriz, for days filled with love and laughter, knowledge and music.

To my brother, Miguel, I love you endlessly little man. I am and will always be incredibly proud of you. I cannot wait to see what the future holds for you.

My uncle Mário for showing me what I want to be like when I get old.

My grandmother Sofia, for loving me the way she does, for making me dance in the living room;

To my mother Luísa and my father Joaquim, for allowing me to fall and teaching me to get back up again, your ever lasting love and support meant, means and will always mean the world to me, this is all thanks to you. All I achieve will be because I have had your guidance, your love and your unwavering support.

To those who no longer share this road with me: My grandfather Alfredo, my grandmother Rosalina and my grandpa Mário (meow). They all fought through life admirably, raised brilliant and kind-hearted people; despite the heartache, I choose every day to celebrate their life. I do this with them in my heart and with their teachings in my mind. I hope I have made them proud, wherever they may be.

Without all these kind souls I would not have written this dissertation, I owe them all a debt of gratitude and without them I could not say “That’s a wrap”.

(6)

IV Quoting and Other Conventions

Quoting:

Bibliographical references related to articles and books will be made with capitalised surname, first name; title of the work; publisher; volume and issue (if applicable); year;

page(s)

Jurisprudence will be referenced as court; parties; year; paragraph(s).

Spelling:

This thesis follows the United Kingdom English spelling.

Number of Characters:

The present dissertation has 122 849 characters, including spaces and foot notes.

(7)

V Resumo

Vivemos numa sociedade que é cada vez mais condicionada pela tecnologia, tornou-se numa parte fundamental das nossas vidas, fazendo parte de como comunicamos com outros, como obtemos notícias, etc.

Com este novo paradigma de vivência, novos desafios e ameaças surgiram que não eram passíveis de terem sido considerados antes por terem sido causados por avanços socio- tecnológicos, portanto, no tocante à proteção de dados, muito mudou e muito mais precisa de uma cuidadosa ponderação hoje em dia.

Nos Media, os boatos sempre foram um tópico, sempre foi a maneira mais fácil de atrair leitores, inclusivé reconhecido por Warren e Brandeis em 1890 e o quão perigoso poderiam ser – numa altura em que quase tudo pode ser publicado online, os Media têm cada vez mais atuado numa zona moralmente cinzenta – então o que é que pode ser considerado demasiado num artigo?

O Regulamento Geral de Proteção de Dados (RGPD) introduziu várias importantes mudanças no que concerna a proteção de dados das pessoas, no entanto quando colocado numa balanca com os Media do lado oposto, às vezes esta última sobrepõe-se à primeira.

Num mundo em que cada movimento das celebridades é cuidadosamente observado, esta dissertação pretende demonstrar que existe um injusto desequilibrio entre a liberdade de expressão e interesses legitimos contrastando com noções de proteção de dados e segurança.

Até que ponto é que não deveria haver um cuidado especial obrigatório da parte dos Media em relação aos artigos que publicam?

Palavras Chave: Proteção de Dados; Legitimo Interesse; Media; Exceção Jornalística;

Segurança

(8)

VI Abstract

We live in a society that is increasingly more driven by technology, it is now a fundamental part of our lives, it is now part of how we communicate with others, how we get news, etc.

With this new paradigm of living, new challenges and threats arose that could not have been considered before due to the socio-technological advancements. So in regards to data protection nowadays, a lot has changed and a lot more needs careful pondering.

In Media, gossip has always been a topic, it has always been the easiest ways to get readers, even recognised by Warren and Brandeis in 1890 and of how damaging it could be – in an age where almost everything can be posted online, the media has been increasingly acting in a morally grey area – so what can be considered too much in an article?

The General Data Protection Regulation (GDPR) introduced a considerate amount of important changes in terms of protection of data subjects’ personal data. However, when it is put into a scale with the Media on the other side, sometimes the latter overpowers the former.

In a world where every move made by celebrities is carefully watched, this dissertation aims at shining a light on the unfair imbalance between freedom of speech and legitimate interests in contrast with the notions of data protection and security.

Should there not be a mandatory special care from the Media regarding the articles they choose to publish?

Keywords: Data Protection; Legitimate Interests; Media; Journalistic Derogation; Security

(9)

VII List of Abbreviations

EU – European Union

ECHR – European Convention on Human Rights ECtHR – European Court of Human Rights

DPD – Data Protection Directive, Directive 95/46/EC

CFRUE – Charter of Fundamental Rights of the European Union GDPR – General Data Protection Regulation

TFUE – Treaty of Function of the European Union TUE – Treaty of the European Union

CETS No. 108 - The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

CPR – Constitution of the Portuguese Republic UDHR - Universal Declaration of Human Rights

Convention 108+ / ETS - Modernised Convention for the Protection of Individual with Regard to the Processing of Personal Data

Art. – Article, exception if used at start of a sentence Arts. – Articles

Nr. – Number Nrs. – Numbers Pg. – Page Pgs. – Pages Par. – Paragraph

EDPS – European Data Protection Supervisor EDPB - European Data Protection Board USA – United States of America

UK – United Kingdom

(10)

VIII Index

Anti-plagiarism Statement... I Dedication ... II Acknowledgements ... III Quoting and Other Conventions ... IV Resumo ... V Abstract ... VI List of Abbreviations ... VII Index ... VIII Table and Chart Index ... X

Introduction ... 1

Chapter I – The General Data Protection Regulation (Regulation (EU) 2016/679) ... 3

1. Historic evolution of data protection legislation within the EU ... 3

2. The General Data Protection Regulation (GDPR) ... 6

2.1. The start of the GDPR ... 6

2.2. The newer additions to the GDPR versus the DPD ... 7

2.3. Definition of Personal Data and the GDPR Principles ... 8

3. The fundamental right of protection of personal data ... 11

4. Closing Remarks ... 13

Chapter II – Foundations of lawfulness ... 13

1. Lawfulness, Fairness and Transparency ... 13

2. Principle of proportionality ... 16

Chapter III – Legitimate Interest and the Media ... 19

1. Legitimate Interests ... 19

1.1 The concept of legitimate interest ... 20

(11)

IX

1.2 The consequences of processing based on the exclusion ... 22

2. The right to inform and the freedom of speech/expression ... 24

3. Legitimate expectations of privacy; the concept of privacy and private life ... 26

4. Public Interest vs interest of the public ... 31

Chapter IV – Journalistic Derogation ... 35

1. Historical overview of the Journalistic Derogation ... 35

2. The Journalistic Exemption / Derogation ... 38

3. The Member States GDPR implementing laws and their stance on the derogation ... 40

Chapter V– Real Life implications ... 43

1. The Daily Mail, July 9^th 2020 ... 43

2. Factual summary and legal standpoint ... 44

3. Analysis of the article according to derogation categories in EU Member States ... 46

4. Considerations on the Study Case and Conclusory Notes... 57

Chapter VI - Conclusion ... 57

Bibliography ... 61

Jurisprudence and Legislation ... 64

Webography ... 69

Annexes ... 71

Annex I: ... 71

(12)

X Table and Chart Index

Table 1: Freedom of Expression and the corresponding articles and writing within EU adopted

legislation ... 24

Table 2: Right to a private life and the corresponding articles and writing within EU adopted legislation ... 27

Table 3: The categories of journalism derogation adopted by Member States ... 37

Table 4: Standards set by the GDPR ... 41

Chart 1: Derogation Adopted by Member States ... 41

Table 6: Member States and the text of the derogations to be analysed in the study case ... 46

Table 5: Letter of the Law of the Member States national implementation legislation ... 71

(13)

1 Introduction

The media have always had a predominant place in all our lives. Before it was solely through newspapers but it is currently taking over every platform that we interact with. As a consequence, even if we do not wish to, when browsing social media, we will, inadvertently, come across news articles.

The driver behind this mutation was technology. It infiltrated our entire lives and transformed the way we consume news over the last century. It is also well known that the law evolves with societies, but it appears to have hit a stagnant point when it comes to people in the public eye.

This stagnation can be seen as another consequence of technology.

Before there was no Google and only paparazzi would take photographs of celebrities that would appear in the newspaper the following day. Currently, a photograph is taken by anyone and shared within a matter of seconds, and if a location is provided then it will most likely create a chain reaction of people nearby very quickly.

The GDPR sets the existence of legitimate interests as an exclusion to certain articles in data processing, including the usage for journalistic purposes. This is where a lot of rights inherent to society can clash: on one hand, the media can always argue that they obtained and used certain information, in here to include photography, based on it being of public interest, but on the other hand the person whose information/photographs were shared of had no say in it.

This is a possible clash of legitimate interests, freedom of speech and of press, public interest situations and overall security of someone.

Jurisprudence and doctrine have versed about people with political jobs, those whose job will directly influence other people’s lives, but not a lot has been said about celebrities – those whose job is in the entertainment industry. They are still private citizens who just happen to have a profession that makes them known to the public, however they would never have the impact on their lives the same way someone holding a job in public office would, they might only arguably influence some people through the work they do.

(14)

Introduction

2 Nowadays the internet has put an immense amount of information only a click away, meaning that any additional information that a media outlet publishes that can aid someone finding something that would very clearly be, and should be, private about someone poses as a very dangerous threat to safety.

The article presented in the case study was the triggering point of this dissertation. I have always enjoyed my fair share of tv shows and movies, but one thing that cannot happen is that the people whose job gives us so much joy (and sometimes sorrows) might be put in harm’s way because they are an easy target of the media and articles about them will make their sales go up.

I saw first-hand during the short, yet astonishing, run of Ms. Suzie Millers’ Prima Facie, portrayed by the brilliant Ms. Jodie Comer, about whom the article was written about, what a gathering of a fandom looks like, there were hundreds of people at the stage door, and one could see her reaction when she saw the sea of people in front of her. If I were to put myself in her shoes, knowing there is not a massive age difference, all I would want to do after 90 minutes of a powerful monologue about the law and the treatment of sexual assault victims, would be to go home and relax with no fears that where I live, my home, could no longer be private.

It should not be acceptable, whether socially nor legally, to have one’s address easily reachable online, and much less of someone who is in the public eye, as it is putting not only their private lives in jeopardy but their overall safety as well.

This dissertation aims to go through the history of data protection legislation, including the GDPR, in Chapter I, to showcase how far we have come in changing legislation to keep up with changes in society; the foundations of lawful processing in Chapter II, to highlight the grounds of lawfulness in processing, which is directly related with the following Chapter;

the concept of legitimate interests and fundamental rights to them associated, with focus on the right to a private life and freedom of expression, in Chapter III; the journalistic exemption in Chapter IV, showcasing the magnitude this exemption holds, as well as an overview of the level of derogation chosen by each EU member state; and a case study in Chapter V, a newspaper article that will be interpreted in light of each of the derogation category types mentioned in Chapter VI and whether it would have been considered an abuse of the derogation itself or if falls within the derogation set by that member state.

(15)

3 Chapter I – The General Data Protection Regulation (Regulation (EU) 2016/679)

1. Historic evolution of data protection legislation within the EU

Data protection legislation, as we know it, would not have been possible without the writing and aid of other EU legally binding documents. Nevertheless, it is crucial to mention that, although more clearly in some more than others, certain terms tend to create a ‘lost in translation’ effect. This effect is seen at its peak in the matters of privacy and the journalistic derogation, however it shall be addressed further ahead.

It is important, for context’s sake, to review the timeline of some of the most important international and EU binding documents, such as the Universal Declaration of Human Rights (UDHR), 1948; the European Convention on Human Rights (ECHR), 1953; the Treaty of the European Union (TUE) – Maastricht Treaty, 1993; the Data Protection Directive (DPD), effective in 1995; the Charter of Fundamental Rights of the European Union (CFRUE), effective on December 12^th 2007; the Lisbon Treaty, 2009; and the General Data Protection Regulation (GDPR), 2018, substituting the DPD.

The goal with data protection legislation is to create harmonization and common foundations amongst legal systems and ‘actors’ within the European Union, which work towards one common goal: protect people’s data.

Around 1970, the Council of Europe came to the realization that Art. 8 of ECHR was insufficient when considering the socio-technological advances, including the scope of what could be considered private life and possible abuse of privacy or private information by both public and/or private bodies, arising the need of a safeguard to the principles above mentioned.

Germany, with its first data protection legislation in 1971, and Sweden, in 1972, created the first ‘test trial’ of data protection legislation in specific territories. With the positive outcome of these two pioneer legislations, “(…) these first initiatives worked as a stimulus for the Council of Europe to invest time in the preparation of an international agreement as

(16)

Chapter I – The General Data Protection Regulation (Regulation (EU) 2016/679)

4 the first binding instrument on the subject. After four years this resulted in the adoption of the Data Protection Convention, also known as Convention 108¹(…)”².

It is of relevance to mention here that the first constitutional reference to data protection happened in Portugal. It was the “first European country to incorporate specific provisions on automated data processing in its fundamental law”³. Article 35 Nr.1 of the Constitution of the Portuguese Republic, from now on referred to as the CPR, reads that “Every citizen has the right of access to all computerised data that concern him, which he may require to be corrected and updated, and the right to be informed of the purpose for which they are intended, as laid down by law.”⁴, granting its citizens the right of access to data that concerns them, both informatic (Nr.1) and in paper (Nr.7). This article, in its original version of 1976, “was instrumental for the later worldwide proliferation of constitutional recognition of access to personal data”⁵.

On January 28^th 1981, the Council of Europe opened for signature the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, referred to as CETS No. 108, making it the first legally binding instrument on data protection, setting the ground rules for data protection compliance. Nowadays presented, in its updated version, as Convention 108 + or ETS, the Modernised Convention for the Protection of Individual with Regard to the Processing of Personal Data⁶, that was adopted on May 18^th 2018 by the Committee of Ministers.

1 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28 January 1981, ETS 108.

2 HUSTINX, Peter; EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation; 2014; available on: https://edps.europa.eu/data-protection/our- work/publications/speeches-articles/eu-data-protection-law-review-directive_en and accessed on 25/02/2022.

3 FUSTER, Gloria González; The Emergence of Personal Data Protection as a Fundamental Right of the EU;

Law, Governance and Technology Series, Vol. 16; Springer; 2014; pg. 66.

4 “Todos os cidadãos têm o direito de acesso aos dados informatizados que lhes digam respeito, podendo exigir a sua rectificação e actualização, e o direito de conhecer a finalidade a que se destinam, nos termos da

lei”, Art. 35, Nr. 1 of the CPR, available on

https://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid=4&tabela=leis in Portuguese and in https://www.parlamento.pt/sites/EN/Parliament/Documents/Constitution7th.pdf in English.

5 FUSTER, Gloria González; The Emergence of Personal Data Protection as a Fundamental Right of the EU;

Law, Governance and Technology Series, Vol. 16; Springer; 2014; pg. 67.

6 Available on https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with- regar/16808b36f1, accessed on 22/02/2022.

(17)

5 In the 35 years that passed between CETS No. 108 and Convention 108+, a lot has changed when it comes to technology and, with it, our right to private lives has taken a new and more complicated scope, as per Convention 108+ “(…) it appeared clear that the Convention should be modernised in order to better address emerging privacy challenges resulting from the increasing use of new information and communication technologies (IT), the globalisation of processing operations and the ever greater flows of personal data”⁷. It is important to recognize the magnitude of Convention 108, opening the conversation for the need of data protection regulation in its own legislation. Notwithstanding the well- intended efforts, it had its flaws, as there were consistency and harmonization concerns, that could evolve into situations that could be potentially harmful to the internal market, as it is one of the most important traits of the EU.

In 1990, and regarding data protection and the right to privacy, it was highlighted by the Commission of the European Communities that since there was no clearly defined and harmonized protection established at Community level, and several stances taken at national level, that this posed as a threat to the proper functioning of the internal market and overall flows of information.⁸

The most important thing to note here is that there was and still is a sense of continuity.

The legislation did not obliterate the ideas from the previous ones from existence nor what rights and obligations they gave and defended, but instead they kept evolving and complementing each other, making it more suitable to face the new challenges that newer technology brought to this new way of living.

7 Explanatory Report to Convention 108, par.1, Convention 108+; 2018.

8 COM (90) 314 final - SYN 287 and 288: “The diversity of national approaches and the lack of a system of protection at Community level are an obstacle to completion of the Internal market. If the fundamental rights of data subjects, in particular their right to privacy, are not safeguarded at Community level, the cross-border flow of data might be impeded just when it is becoming essential to the activities of business enterprises and research bodies and to collaboration between Member States' authorities. In the frontier-free area provided for In Article 8a of the Treaty and (…) a community approach towards the protection of individuals in relation to the processing of personal data Is also essential to the development of the data processing Industry and of value-added data communication services”, 13 September 1990, pars. 6 and 7, pg 4, available on:

http://aei.pitt.edu/37 68/1/3768.pdf

(18)

6 2. The General Data Protection Regulation (GDPR)

2.1. The start of the GDPR

The General Data Protection Regulation Proposal⁹ had its centrepiece provided by the DPD, as its goal was to protect citizens personal data and guarantee its free flow. However, the motivation was easily summarized as “(…) rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life”¹⁰.

One of the most obvious changes was, quite literally, the change from a Directive, that set a goal that all EU Member States must achieve, however how they are to be achieved through discretionary means, to a regulation, that is a legally binding act for all EU Member States.

Regulation 2016/679 of the European Parliament and of the Council, the GDPR, was put into effect on May 25^th 2018, substituting the Data Protection Directive, having had brought, when compared to its predecessor, a demand of compliance from all EU citizens, and any other people with an established relation to one, companies that process personal data to them referent and some government bodies, as well as new rights, but not limited to: the right to be forgotten, application of fines in case of non-compliance, data notification in case of data breach.¹¹.

9Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) /* COM/2012/011 final - 2012/0011 (COD), available on https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52012PC0011&from=NL and accessed on 04/03/2022.

10 Ibid., point 1.

11 Information Technology and Law Series, EU Personal Data Protection in Policy and Practice, Springer, 2017; pg. 2.

(19)

7 2.2. The newer additions to the GDPR versus the DPD

The change in the definition of personal data is probably the difference with the biggest impact, as in the GDPR the scope what is considered personal data encompasses a lot more

‘possible identifiers’ than in the DPD.

The concept of individual rights can be conveyed in two words: consent and accessibility.

The goal of the GDPR is to give rights to the people the data belongs to. Therefore, before processing and collecting data, consent should, be given about a direct matter, based on clear and unambiguous information, allowing the person to make an informed decision on whether they give consent, albeit aware that are exceptions to this.

Alongside this right, people will now be able to request access to the data the controller holds on them, how it is used and where it is stored, and should they wish to, request that data to be erased – they have the right to be forgotten¹².

Information governance, or more commonly known as privacy by design, directly relates to ensuring that the privacy of the data is kept throughout, also requiring controllers to discard that information when no longer needed, it is also linked to impact assessments.

Regarding data breaches, during the time of the DPD, Member States could adopt their own laws regarding notifications, and, as previously mentioned there was a cohesion problem with the DPD caused by the discretionary freedoms in certain topics, this being one of them.

This regulation does not merely oblige EU Member States to abide by it, but countries that collect data of and from EU citizens as well. The non-compliance to it can result in rather large fines, reaching thousands, when not millions, of euros; taking for example Google that was issued a 50 million euros fine in 2019 and confirmed by one of France’s top administrative courts in 2020¹³, as Google’s appeal was dismissed, making it the highest fine issued so far¹⁴ for a GDPR breach.

12 Art. 17 GDPR.

13 Conseil d'État; Nr. 430810; France; June 19th 2020; available on: https://www.conseil- etat.fr/fr/arianeweb/CE/decision/2020-06-19/430810.

14 At the time this dissertation is being prepared.

(20)

8 One cannot expect companies of that scale to answer to verbal warning, as they are completely ineffective and most likely they would carry on with business as usual.

However when faced with a fine of millions they suddenly have to ‘change their tune’, they can no longer overlook it, they must admit their wrongdoing and change what was being done incorrectly, after all we are talking about peoples private information that was given for a very specific purpose, that purpose has to be a priori defined and that is what to people agree to, it cannot be used for other purposed other than that one, that would be a clear abuse of their position of power.

2.3. Definition of Personal Data and the GDPR Principles

Before delving into the principles written in the GDPR, it is important to present the concept of personal data. According to Art. 4 Nr. 1 of the GDPR:

“ (…) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”¹⁵.

This definition, and according to Judgement of the CJEU of Patrick Breyer v.

Bundesrepublik Deutschland¹⁶, is to also consider IP addresses as personal data, as an interpretation of Art. 2 of the DPD, that was altered into Art. 4 (1) of the GDPR, and as a clear view how newer technology manifests itself within the scope of data protection legislation.

15 Art. 4 GDPR.

16 CJEU; Case C-581-14; Patrick Breyer v. Bundesrepublik Deutschland; 19^th October 2016; par. 20

“According to the court of appeal, a dynamic IP address, together with the date on which the website was accessed to which that address relates constitutes, if the user of the website concerned has revealed his identity during that consultation period, personal data, because the operator of that website is able to identify the user by linking his name to his computer’s IP address”; available on: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A62014CJ0582.

(21)

9 In the words of Professor Nadezhda Purtova, “(…) the concept ‘personal data’ determining the material scope of data protection is meant to be broad but is bound to expand even further and as a result to apply to an exponentially growing range of situations. This is due to the in-built possibilities for the evolving interpretation of the concept itself, exploding generation and aggregation of data, as well as advances in data analytics. As our environment is rapidly approaching what some call ‘onlife’¹⁷ where our daily existence is mediated by information technology, everything in this environment – weather, waste water, exam scripts – is being increasingly ‘datified’, and literally any data can be plausibly argued to be personal”¹⁸, showcasing how legislators and legislation is already preparing itself for an unknown future.

The GDPR sets seven core principles to ensure data protection and to be abided by during data processing, also highlighted by the case of Google Spain¹⁹: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability, they are written in Art. 5 of the GDPR, in Nr. 1 als.

a) through f) and Nr. 2, these are also referred to as data quality principles.

Purpose limitation, Art. 5, Nr. 1 a), is composed of two main traits: the first is that the controller, that is defined as “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”²⁰, must specify the purposed to which that data will be used. The second being that data cannot be processed, where processing can be defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as

17 Term coined by Professor Luciano Floridi, in FLORIDI, Luciano; The Online Manifesto. Being Human in a Hyperconnected Era; Springer; 2015.

18 PURTOVA, Nadezhda; The law of everything. Broad concept of personal data and future of EU data protection law; Law, Innovation and Technology, pg. 2; 2018.

19 CJEU, Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD), Mario Costeja González, more specifically in rec. 71 reading “In this connection, it should be noted that, subject to the exceptions permitted under Article 13 of Directive 95/46, all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive (…)”;

available on: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131.

20 Art. 4 Nr. 7 GDPR.

(22)

10 collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”²¹, for other ends that are incompatible to those that have been previously set. However, in the writing of the Article 29 Working Party²², it was stated that, if further processing is needed, all other circumstances must be accounted for and assessed whether they are incompatible or not with the original purposes.

Data Minimisation, Art. 5, Nr. 1 b), means that, in order to comply with it, organizations, when collecting and processing data, must assure that the data they are processing is adequate, relevant to the goal and it is limited to what is actually necessary. Only necessary data should be held by the controller, any additional data, including with the possible attempt of defence that it might have been voluntarily given, is unlawful to be held.

Accuracy, Art 5 Nr.1 d), although somewhat explanatory on its own, states that all data must be accurate and kept up to date, as if data is deemed inaccurate it might lead to misleading situations and conclusions. This notion was highlighted by Dara Hallinan and Frederik Borgesius “(…) the accuracy principle aims to ensure that the individual to whom personal data relate is not subject to misrepresentations, and the consequences of misrepresentation, through their personal data. This aim reflects a recognized aspect of the right to privacy.”²³.

Storage limitation, Art 5, Nr. 1 e), is one of the principles that suffered the most changes since it was first written in the DPD, it states that data should not be stored, and accessed, for more than strictly necessary to fulfil the processing goal, however the fact that the GDPR allows pseudonymization, is now a different way to show compliance to this principle. This has no set time frame in the legislation, leaving to the collecting and processing entities to determine how long that should be considering its primary purpose,

21 Art. 4 par. 2 GDPR.

22 Article 29 Data Protection Working Party, available on

https://ec.europa.eu/newsroom/document.cfm?doc_id=44100; footnote 36 “Article 24(1) provides that

‘taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”.

23HALLINAN, Dara and BORGESIUS, Frederik Zuiderveen; Opinions can be incorrect (in our opinion)!

On data protection law’s accuracy principle; International Data Privacy Law; Vol. 0; Nr. 0; 2020; pg. 3.

(23)

11 however “(…) in order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.”²⁴ Integrity and confidentiality, Art 5, Nr.1 f), must be interpreted simultaneously with Art.

32 of the GDPR (Security of processing), as it requires that all data processed is protected by proper security measures, including but not limited to unauthorized processing or access.

Article 5 Nr.2 demands accountability from the controllers of such data, as they must always be able to demonstrate their compliance with the above-mentioned principles. It is also important to mention that Chapter IV of the GDPR, Arts. 24 to 43, enumerates the roles and responsibilities of controllers.

The GDPR sets out two different types of information ‘checklists’ depending on whether the personal data that was collected from the data subject (Art. 13) or not (Art. 14).

Article 13 Nr.1 enumerates the information that the controller shall provide the data subject upon the data collection. In order to ensure an adequate, fair and transparent processing, the controller should also provide the data subject with that information and Art. 13 Nr.2 is even more important in situations when the controller intends on using the data for an end that was not the one originally intended, as per Art. 13 Nr.3.

Article 14 sets the information that the controller shall give the data subject when the personal data in question was not by them provided, while aware that they shall do so within a month maximum (Art. 14, Nr. 3, Al. a)), if it is to be used in communication with the data subject then at least upon that first communication (Al. b)), or if there is an intention to disclose to a third party then the latest is when they effectively do so (Al. c)), it is to note that Art. 14 Nr.5 holds the exception to Art. 14 Nrs. 1 to 4.

3. The fundamental right of protection of personal data

“(…) The fundamental right to personal data protection should be considered a promise just like the one made by the king to his knights

24 Rec. 39 GDPR.

(24)

12 in 1215, in the Magna Charta, that they would not be imprisoned or tortured illegally – ‘nor will go upon him nor send upon him.’ This promise, the habeas corpus, should be renewed and shifted from the physical body to the electronic body. The inviolability of the person must be reconfirmed and reinforced in the electronic dimension, according to the new attention paid to the respect for the human body.”²⁵

This quote perfectly represents the importance that data protection had, has and will increasingly have in society and, most of all, to its people.

The right to data protection has become an intrinsic value amongst EU institutions regarding its citizens, posing as a fundamental right. This is now assured by EU legal instruments, special emphasis in Treaties, and within secondary legislation. What is so interesting, and what essentially makes it so notable, is the scope of application of these laws and rights related to data protection: not only are they applicable to Member States nationals but also to those that were born outside the Member States that have an established relationship to one, like residency.

The processing of personal data must comply with the basilary principles set within the GDPR, although it shows a direct relation of cause-effect between itself and the right to private life.

Article 8 of the CFRUE contemplates the right to the protection of personal data, however worth mentioning that it does not present itself as an absolute right, having its limitations written in Art. 52 Nr.1 of the CFRUE.

Article 7 of the CFRUE and Art. 8 of the ECHR enunciate the right to the respect for private life, also known as the right to privacy, and Art. 8 of the CFRUE the right to personal data protection. It is important to highlight that Art 7 of the CFRUE directly corresponds to Art 8 ECHR, however the Art 8 of the CFRUE has no direct match within the ECHR as shown by Art. 52 Nr 3 ECHR.

25 GUTWIRTH, Serge et al; Reinventing Data Protection?; Springer; 2009; pg. 81.

(25)

13 4. Closing Remarks

The evolution of personal data and its protection throughout history is highly important as they acknowledge the socio-economic changes through times, including the clear changes of paradigm, and the dedication of the EU to create a more harmonized legislation through all Member States.

The highlight of the definition of personal data in Art. 4 Nr. 1 of the GDPR and of the principles of the GDPR (lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability) are important to be understood as the scope of the journalistic derogation of Art. 85 of the GDPR can include these principles, as they fall within Chapter II, so it is important to be understood why they could be incompatible with the journalistic activity.

Chapter II – Foundations of lawfulness

1. Lawfulness, Fairness and Transparency

The principle of lawfulness, fairness and transparency was purposely left out of the explanations of the principles of the GDPR in the Chapter above, since this principle requires a more in-depth study.

Lawfulness is one of the key aspects of data processing. Without it, and pleonasm inevitable, it would render all data collection and processing unusable based on unlawfulness.

Legislation²⁶ has deemed mandatory criteria for lawful processing, aiming to aid the controller/third party in achieving their goals while simultaneously assuring the

26 Here used in a broad sense but will be related to specific articles and legislative pieces where relevant.

(26)

14 compliance with the data subjects’ fundamental rights, which creates a very sensitive balance.

A mention of Convention 108 must be made in regards to this principle, as that convention stated that “(…) It protects individuals against abuses that may accompany the processing of personal data, and seeks, at the same time, to regulate the transborder flows of personal data. As regards the processing of personal data, the principles laid down in the convention concern, in particular, fair and lawful collection and automatic processing of data, for specified legitimate purposes”²⁷.

Article 5 reads:

“1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)²⁸”.

Lawful processing implies that, unless one of the exclusions applies, it can only be considered as such if at least one of the conditions of Art.6 Nr. 1 is complied to, so “(…) The set of conditions in Article 6 can therefore be seen as a ‘threshold’ or minimum standard for the processing of personal data”²⁹, at least one of the following conditions must be met:

“(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

27 Handbook on European data protection law, European Union Agency for Fundamental Rights and Council of Europe, Publications Office of the European Union, 2018, pg. 24.

28 Art. 5 GDPR.

29 CAREY, Peter; Data Protection – A Practical Guide to UK and EU Law; Fifth Edition; Oxford University Press; 2018; pg. 33.

(27)

15 (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”³⁰

As per the European Data Protection Supervisor Toolkit³¹, “to be lawful, any limitation on the exercise of the fundamental rights protected by the Charter must comply with the following criteria, laid down in Article 52(1) of the Charter:

- it must be provided for by law,

- it must respect the essence of the rights,

- it must genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others,

- it must be necessary - the subject of this Toolkit, and - it must be proportional.”³²

The principles of the GDPR commence on Art. 5, as “it requires all personal data processing be fair, lawful and carried out in a transparent manner”³³, although the requirements of lawfulness are numbered in Art. 6 and at least one of those requirements must be met; this is one of the most important articles to controllers, as it is an a priori requirement to obtaining and processing data; this article is applicable to ‘general’ data,

30 Art. 6 Nr.1 GDPR.

31 European Data Protection Supervisor; “Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A toolkit”, available on https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en_0.pdf; accessed on 01/04/2022.

32 Ibid, pg. 4.

(28)

16 however if it concerns a special category of data, the ones expressed in Art. 9, then Art. 9, Nr. 2 must also be complied to.

In matters of transparency, this principle requires³⁴:

“– information for individuals on the identity of the controller;

– information for individuals on the purposes of the processing;

– further information in respect of the data subjects and their right to obtain confirmation and communication of processing activities performed on their personal data;

– making individuals aware of the risks, rules, safeguards and rights in relation to the processing activities and how they can exercise those rights.”³⁵

The importance of the term ‘fairness’ is incredibly relevant as its interpretation is usually performed a contrario: there will be a breach in fairness if their collection is not done through proper means and/or if their use falls outside the scope of what would be reasonably expected by the data subject; this not including the standards breach derived from legal requirements.

2. Principle of proportionality

“(…)‘in plain English it means that you must not use a steam hammer to crack a nut, if a nutcracker would do’”³⁶

The above quote is from Lord Diplock and has been used as a practical way of showcasing the idea behind proportionality. However, the rationale behind it does not leaves space for human sentimentalism, with ease being related to two dangerously interpretable metaphors.

In this metaphor, the steam hammer and the nutcracker are mere means to an end, but is there space for justification behind someone choosing one or the other? The expression

34 Recital 39 of the GDPR, substantiated in Arts. 13 and 14 of the GDPR.

35 VOIGT, Paul and BUSSCHE, Axel von dem; The EU General Data Protection Regulation (GDPR) – A Practical Guide; 2017; Springer; pg. 88.

36 Lord Diplock, in R v Goldstein 1 WLR 151, 155B, 1983.

(29)

17

‘means to an end’ illustrates the necessity of taking certain steps in order to achieve a certain goal, but it also transmits the idea that those steps seem sufferable and not exactly pleasant. In this situation, both the steam hammer and the nutcracker will achieve the same goal, assuming no one is getting harmed in either scenario, and if one brings more joy to the one doing it then why should they not choose it? Sure it might take more time and effort, but it might also bring more joy, so why not?

Another metaphor relevant to this principle is ‘the end justifies the means’. This is where morale is written in the premise itself. In a scenario where joy is not brought into the equation, and we are merely posing two possible ways to achieve the same outcome, which one would be the applicable one? The nutcracker. The end is justified by the mean, had it been the steam hammer, again sentimentalism aside, why would this one be a better choice?

It simply would not.

Both metaphors are incredible relevant to this principle, one can be seen through the eyes of the data controller and data processor, ‘means to an end’, and the other can be posed as a question by the data subject (and the public, in situations like the ones that will be showcased in the case study further ahead) when assessing the fairness, ‘does the end justify the means?’, alluding to a cost/benefit analysis.

The principle of proportionality gained its weight in constitutional law, often used by courts to assess whether a fundamental right has been breached or not, more often used in criminal law.

“(…) Though proportionality no doubt matters in law, its moral dimension is elusive. It is often referred to as a principle, a reference that is elliptical since there is no moral principle to act proportionately tout court. An unqualified injunction to act proportionately will likely elicit the response: ‘proportionately to what?’ It is usually a specific type of action that one should take in proportion to a specific factor”³⁷, it is a relational concept – cause/effect predetermined.

It is one of the principles expressed in the TEU, in Art. 5 Nr. 4, in Art. 52 Nr. 1 of the CFDUE and Art 5 Nr.1 of Convention 108+, despite being a concept that has been

37 LETSAS, George; Proportionality as Fittingness: The Moral Dimension of Proportionality; Current Legal Problems; Oxford University Press; 2018, pg. 2.

(30)

18 recognised as a basilary principle of EU law by the Court of Justice of the EU (CJEU) since 1950, and it conveys a ponderation in judgement.

This principle brings out the balance between three concepts, that need to be measured a priori: appropriateness, as if it is the appropriate mean to an end; necessity, is it necessary that it is applied in such a way and, in cases of restriction of fundamental rights, if there is no better suiting alternative; and disproportionateness, an a contrario vision of the principle itself.

The CJEU settled that this "(…) requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives"³⁸.

The influences of this principle are more subjective in judging in an a posteriori manner, meaning that sometimes data, when is collected, must be done so in a proportional manner to the goal in mind; however, and once again illustrated by the study case further ahead, in the media, proportionality is something that is sadly often outlooked.

According to settled case-law of the CJEU, "the principle of proportionality requires that acts of the EU institutions be appropriate for attaining the legitimate objectives pursued by the legislation at issue and do not exceed the limits of what is appropriate and necessary in order to achieve those objectives"³⁹. Hence proportionality in a broad sense (as referred to by the CJEU) encompasses both the necessity and the appropriateness (proportionality in a narrow sense) of a measure, that is, the extent to which there is a logical link between the measure and the (legitimate) objective pursued⁴⁰”.⁴¹

38 CJEU; Case C-62/14, Gauweiler (OMT); 2015; par. 67.

39 Ibid.

40 “(…) As possible example of proportionality in a broad sense, encompassing both the necessity and the proportionality tests, see C-594/12, Digital Rights, whereby (…) proportionality (par. 69: “Having regard to all the foregoing considerations, it must be held that, by adopting Directive 2006/24, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter.”) are distinctly addressed by the CJEU.” – Excerpt from European Data Protection Supervisor; EDPR Guidelines on assessing the proportionality of the measures that limit the fundamental rights to privacy and to the protection of personal data; December 19^th 2019; emphasis added.

41 European Data Protection Supervisor; EDPR Guidelines on assessing the proportionality of the measures that limit the fundamental rights to privacy and to the protection of personal data; December 19^th 2019; pg.

9, available on https://edps.europa.eu/sites/edp/files/publication/19-12- 19_edps_proportionality_guidelines_en.pdf, accessed on 28/03/2022.

(31)

19 Data that is collected must always have proportional use, not only to the end itself, but to the data subject, especially in situations where it might regard more sensitive data, not considering nor falling within the scope of sensitive data within Art. 9 of the GDPR, that could result in restrictions or possibly dangerous/unfavourable situations for the person.

As expressed by Dr. Giovanni Comandé: “(…) At the core of the notion of proportionality lies the concept of a balancing exercise: the weighing up of the importance (legitimacy', using the wording of the case law) of the objective to be achieved in the given context, also having regard to the efficacy and efficiency of the proposed measure, on the one hand, and the scope and intensity of the interference on the fundamental rights to privacy and to the protection of personal data, on the other hand”⁴², highlighting the careful balance carefuly drafted by EU legislation.

3. Closing Remarks

These principles (lawfulness, fairness, transparency and proportionality) are usually the ones the data subjects can see the direct application due to their nature, i.e. proportionality as an example: people can infer whether the data collected is proportional or not to the goal of the processor.

Nevertheless, and since these principles fall within Chapter II of the GDPR, they can also fall within the derogations set by Member States, including the journalistic derogation.

Despite this, as it will be noticeable during the study case, these principles should be kept in mind, especially fairness and proportionality, even more so in the media.

Chapter III – Legitimate Interest and the Media

1. Legitimate Interests

42 COMANDÉ, Giovanni; Elgar Encyclopedia of Law and Data Science; Edward Elgar Publishing; 2022; pg.

209.

(32)

20 1.1 The concept of legitimate interest

“(…) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data”⁴³

The concept of legitimate interest can be seen as “ambiguous and controversial”⁴⁴, there is no clear delimited scope of what can and cannot be deemed as a legitimate interest, which will be studied in depth in this Chapter.

The idea of legitimate interest was not new to data protection legislation, having been present in the DPD in Art. 7, and it has no direct definition, which can be somewhat understood due to the several stances it can take within law, but plainly, it refers to a range of interests that can be beneficial to one or more parties when processing data.

It can be found in two instances in the GDPR:

1) In Art. 6, Nr. 1, Al. f) – as a basis for lawfulness;

2) In Art 49, Nr. 1, Subparagraph 2 – as an exception when transferring personal data from the EU to a third country.

This concept is one of the most important in the GDPR, as it works as an exclusion, and it must be carefully pondered and documented to be compliant. Additionally because it is easily used and usable as an excuse and not only a founded exclusion.

Article 6 Nr.1 f) demands a careful interpretation as it holds more depth to it than it might appear. This principle demands a carefully placed balance between the interests of the controller/third party and those of the data subject, resulting in a three-point analysis of (a) necessity, (b) the actual existence of a legitimate interest and (c) consideration:

43 Art. 6, Nr. 1, f) of the GDPR, emphasis added.

(33)

21 (a) Necessity: it needs to be deemed necessary to achieve a pre-determined goal, defined by the European Data Protection Supervisor (EDPS) as needing a “fact-based assessment of the effectiveness of the measure for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”⁴⁵.

b) The existence of a legitimate interest: the data that is used needs to be a response to the

“problems” of the controller/third party, but it cannot override the fundamental rights of the data subject, this legitimate interest needs to be clear, concise, unmistakable and be able to be recognisable as legitimate, permitted by EU and national laws, so to stand the guidelines of the law and Article 29 Working Party;

c) Consideration: This point of analysis is the last one due to its end goal, whereas the two previous ones are conditio sine qua non of data processing based on legitimate interests.

As previously mentioned, there needs to be a careful pondering between the interests and goals of the data controller or third party and those of the data subject. The goal is for the scale to be as even as possible, i.e., the interests of the data controller/third party cannot cause dangerous harm or unfounded limitations to the fundamental rights of the data subject. Recital 47 of the GDPR showcases exactly that as it reads “(…) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller”⁴⁶, and “simply put, processing pursuant to Art. 6 Sec. 1 phrase 1 lit. f GDPR shall be lawful if, as a result of a balancing of interests, the legitimate interests of the controller/a third party prevail over the need to protect data subjects”⁴⁷, this will correlate with the legitimate expectation of privacy that will be explained further ahead.

On a more critical note, can the data controller/third party, holding their own legitimate interests on one side of the scale, really assess, and this is a matter of assessment and not

45 European Data Protection Supervisor; “Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A toolkit”; 2017; pg. 5.

46 Rec. 47 GDPR.

47 VOIGT, Paul and BUSSCHE, Axel von dem; The EU General Data Protection Regulation (GDPR) – A Practical Guide; 2017; Springer; pg. 103.

(34)

22 just of compliance, the necessity and proportionality of their actions against the safeguards and plenitude fundamental rights of the data subject?

The Working Party has set three factors to be taken into consideration: nature and source of the interest, the impact it will have on the data subjects (and depending on the relation between both parties then the reasonable expectations of the data subjects must be taken into consideration as well) and possible additional safeguards to diminish the possible restrictions it might create.

1.2 The consequences of processing based on the exclusion

Article 6 of the GDPR sets the requirements, of which at least one of them must be met, of lawful processing, being one of them (al. f) based on the existence of legitimate interests.

As mentioned above, and with due notice of rec. 40⁴⁸, using legitimate interests of the controller/third party as the basis means that the data processing is within Art. 6 of the GDPR, however they must concern themselves about complying with the rest of the regulation.

This means that compliance to the principles of Art. 5 is still necessary despite not being to Art. 6, with the transparency requirement to gain even higher significance.

Not only are the obligations of Art. 5 mandatory, processing data based on legitimate interests is also bound by Arts. 13 (Information to be provided where personal data are collected from the data subject) and 14 (Information to be provided where personal data have not been obtained from the data subject), falling, in the GDPR, within the scope of the rights of the data subject.

With the exception of the right to data portability (Art. 20), rec. 48 of the GDPR states that

“That right should apply where the data subject provided the personal data on the basis of

48 Rec. 40 GDPR: “In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the

performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.