In principle, gaining power over individuals through the processing of their data is undesirable since it can impede the rights and freedoms of individuals. Forbidding the processing of personal data altogether would be excessive, however. In particular, it could infringe on other fundamental rights and freedoms, such as the freedom to conduct business. For this reason, the data protection legislation has to find a balance between all these rights.
Therefore, the GDPR uses the following basic structure:
- Only processing for certain kinds of purposes are allowed;
- and then only under certain conditions on how the processing is implemented.
This is explained in more detail in the sequel.
In this context, the implementation of processing determines among others what data is collected, what human and technical resources (computing hardware and infrastructure) process the data and how (software and procedures) and for how long, and to whom the data are disclosed.
1See Article 16, European Charter of Fundamental Rights. ↑