Data protection is a fundamental right as articulated in Article 8 of the Charter. The GDPR subsequently provides the legal framework for protecting the processing of personal data.


It does this by specifying the following:

  • Principles (principles relating to processing of personal data, including lawfulness, fairness and transparency)
  • Roles (controller, processor)
  • Responsibilities

Last but not least, it also establishes the rights of data subjects, i.e. the individuals whose personal data are being processed. The GDPR allows Member States to further interpret certain open standards, for example, with respect to the processing of national identification numbers, see: GDPR Art. 87 ‘Processing of the national identification number’:

 

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

 

These national provisions are laid down in national implementation acts for the GDPR. This act for the Netherlands is called the General Data Protection Regulation (Implementation) Act (in Dutch only), also referred to as the UAVG.

Examples

The examples below are a good illustration of how the UAVG may deviate from the GDPR:




Hierarchy and relationships

To properly understand the GDPR as a law, it is necessary to understand the GDPR’s hierarchical position and its relationship to the Charter of Fundamental Rights of the European Union. In the boxes below, you can see exactly how this works:

Hierarchy of legislation

The right to privacy is safeguarded in different ways in different types of legislation. The following hierarchy applies to Dutch legislation (source: Rules on conflict of laws (lex specialis, superior, posterior) (in Dutch only)):

hierarchie

EU regulations contain rules that apply directly in all Member States of the European Union. This is referred to as ‘direct effect’. Hence, these regulations have a status similar to national laws in Member States, but in case of conflict, the regulation takes precedence over the national law (source: https://www.europa-nu.nl/id/vh7bhpblc5za/verordening (in Dutch only)).

Therefore, the hierarchy of regulations applicable to data protection is as follows:

1.      Article 8 in the Charter of Fundamental Rights of the European Union describes, in general terms, the European fundamental right to the protection of personal data.

2.      Article 5 of de GDPR describes the principles to be followed for the protection of personal data, through which it safeguards the protection offered by the general principles in Article 8 of the EU Charter (source: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=en).

3.      Article 10 of the Dutch Constitution describes the fundamental right to privacy and data protection in the Netherlands (source: https://www.denederlandsegrondwet.nl/id/via0icz1lvv8/artikel_10_privacy (in Dutch only)).

4.      Specifically for the Dutch context and in addition to the GDPR, the UAVG (in Dutch only) specifies (as an Act of Parliament) the framework, roles, and responsibilities for the protection of personal data.

This means that if a researcher fails to comply with the privacy principles outlined in Article 5 (GDPR), this is considered as a breach of the fundamental human right enshrined in Article 8 of the EU Charter.


Relationship between the Charter and the GDPR

The relationship between the Charter of Fundamental Rights of the European Union and the GDPR principles relating to the processing of personal data is explained in greater detail in the figure below:

 

Data Protection: Fundamental Right Principles

 

 

The innermost blue circle contains the Article 8 principles from the EU Charter. They are protected by the Article 5.1 principles from the GDPR and the additional legislation in the UAVG for the Dutch context, as displayed in the innermost dark green circle. The outermost light-green circle represents the principle of accountability mentioned in GDPR Article 5.2:

 

5.2 The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

 

This principle 5.2 indicates that, under the GDPR, a researcher must be able to demonstrate, with accompanying proof, that they have taken all the necessary measures to protect sensitive and other kinds of personal data as optimally as possible.

A researcher must not only have a thorough knowledge of the Article 5 principles of the GDPR, but they should also be aware of the technical and organisational measures and safeguards that are necessary within a given context. Moreover, the researcher (in collaboration with a privacy officer) must know how to provide proof of the measures and safeguards taken, if necessary. This is important because, in case of a complaint from a data subject, the Dutch DPA may initiate an investigation in which such proof will be requested. Failure to provide such proof could potentially result in a fine and discontinuation of the research.


But what technical and organisational measures does a researcher have to take within a specific context to initiate and carry out a research project in a GDPR-compliant manner? In ‘Module 4 - Actions’, we will go deeper into the various measures that can be taken for this. But first we will take a deeper look at the GDPR and the Article 5 principles of the GDPR.