In a digital society where personal data are constantly collected, used and distributed, citizens should be able to decide freely how to use their own personal data to avoid abuse.
Article 8 of the Charter provides the right for everyone to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority.
Any individual in the Union whose personal data are processed in the Union or where the processing relates to the offering of goods or services to such individuals in the Union or to monitoring of their behaviour within the Union are protected by the legal framework adopted by the Union pursuant to Article 8 of the Charter and Article 16 of the Treaty on the Functioning of the European Union.
Restrictions and limitations to this right
The European Parliament insists on striking a balance between one side enhancing security and combatting crime and terrorism and, on the other side, the protection of privacy and personal data, so as to ensure that these policies are designed with the integration of these fundamental rights. It has adopted various resolutions on these sensitive matters, in particular on the electronic mass surveillance of EU citizens. The European Court of Justice has also issued several major judgments regarding compatibility of Union legislation on fighting serious crime and terrorism with the Charter, for instance: Digital Rights Ireland Ltd (C-293/12), Tele2 Sverige AB (C-203/15), Maximillian Schrems v Data Protection Commissioner (C-362/14), and PNR Canada (Opinion 1/15).
In 2016, the European Parliament and the Council adopted the data protection package. Composed of a Regulation and a Directive. This package forms a new modern and robust legal framework that Member States have to apply as of 25 May 2018 to ensure that every individual’s personal data is protected in the Union.
Union data protection law sets out the principles and obligations that a controller must comply with in order to ensure the lawful processing of personal data, such as the legal basis for a data processing, the principles for data processing, rules on international transfers of personal data outside the Union or on personal data breaches.
Rights of data subjects with regard to the processing of their personal data
Individuals have the right
- to be informed about the processing of their personal data,
- to obtain access to their personal data and
- to ask that personal data that are incorrect, inaccurate or incomplete are corrected, erased or restricted. They have also the right to the portability of his/her personal data to a controller from the controller who initially processed the data.
Individuals also have the right to request that their personal data be erased when it is no longer needed or when the processing does not comply with the law.
In accordance with the Charter (Article 52) the rights of individuals may be restricted jn very specific circumstances where necessary and proportionate in a democratic society to safeguard any of the objectives of general interest expressly indicated in Union data protection law.
Individuals can object at any time to the processing of their personal data for marketing purposes, which includes profiling related to direct marketing, or on grounds relating to their particular situation, in some specific cases.
Some special categories of personal data are deemed sensitive and have specific protection under the General Data Protection Regulation.
This concerns data referring to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; processing of genetic data; biometric data used to identify persons; health and sex life or sexual orientation.
Monitoring of compliance with data protection rules is endowed to public independent data protection authorities in the Member States with powers to intervene, consider complaints by individuals and adopt enforcement measures against a data controller. National data protection authorities may impose administrative fines up to 20.000.000€ or 4% of the total worldwide annual turnover of a data controller or processor for breaches to Union data protection law.