Legal Framework for Personal Data Protection
Charter of Fundamental Rights
The right to personal data protection is a fundamental right and one of the core values of the European Union (‘EU’). It is enshrined in the EU’s
Charter of Fundamental Rights (the ‘Charter’). Under the Charter, everyone has the right to the protection of their personal data (Article 8(1)).
The Charter became legally binding with the entry into force of the Treaty of Lisbon on
, which gave the Charter the same legal value as the constitutional treaties of the EU.
Treaty on the Functioning of the European Union
Article 16(1) of the
Treaty on the Functioning of the European Union (‘TFEU’) provides that everyone has the right to the protection of their personal data. The EU is unique in providing a constitutional obligation to lay down data protection rules for processing personal data.
EU Data Protection Regulation
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, repealing
Regulation (EC) 45/2001 and
Decision № 1247/2002/EC (‘EUDPR’).
European Court of Auditors: Internal Rules
Restrictions of certain data subjects rights
Decision № 42/2021 of the European Court of Auditors of 20 May 2021 adopting internal rules concerning restrictions of certain rights of data subjects in relation to the processing of personal data in the framework of activities carried out by the European Court of Auditors.
DPO implementing rules
Decision № 40/2021 adopting implementing rules concerning the Data Protection Officer pursuant to Article 45(3) EUDPR.
Other relevant references regarding the protection of privacy and personal data
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or ‘GDPR’).
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, repealing Council framework Decision 2008/977/JH (‘LED Directive’).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘ePrivacy Directive’).
European Convention for the Protection of Human Rights and Fundamental Freedoms and in particular Article 8, considering that the aim of the Council of Europe is to recognise, maintain and protect human rights and fundamental freedoms such as the right to respect for private life.
Convention 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data. In 2018, the Council of Europe modernised the convention, adopting