Data protection according to GDPR
Right to informational self-determination
The right to informational self-determination protects the freedom and development of the personality and is therefore also called the right of personality. It allows everyone to decide for themselves which personal data may be disclosed or used. The so-called right of personality is still relatively young and was created in the context of the so-called census ruling of the Federal Constitutional Court in 1983. Due to the increasing digital data collection and data processing, the protection of personal data is becoming more and more important and is anchored not only in the Basic Law but also in the General Data Protection Regulation (GDPR). In the following article, you will learn the most important information about the right to informational self-determination.
Key information on the right to informational self-determination
- The basic right to informational self-determination has already existed since 1983, the decisive factor for this was the so-called "Census Judgment"
- The right to informational self-determination is based on the Basic Lawand in particular Article 2(1) and Article 1(1) thereof
- The The General Data Protection Regulation strengthens the law on informational self-determination and regulates the processing of personal data by companies and public bodies
Content on the right to informational self-determination:
Background on the right to informational self-determination
The fundamental right to informational self-determination has been in existence since 1983, the decisive factor being the so-called "Census Verdict". In 1983, door-to-door surveys of citizens about personal data took place. This questioning caused resistance in the population, particularly since the further use of these raised data was unclear. This resulted in a constitutional complaint, which was examined by the Federal Constitutional Court. On 15 December 1983, the survey was declared unconstitutional.
The reasons for this were the considerable and unjustified encroachment on the fundamental rights of individuals, as well as the possibility of creating personal profiles with the data obtained, which posed a threat to personal and other fundamental rights. This judgement laid the foundation for the amendment of the Federal Data Protection Act (BDSG) from 1990. Since 2018, the Protection of personal data its legal basis in the General Data Protection Regulation (GDPR).
What does informational self-determination mean?
Informational self-determination means that individuals are granted the right to decide independently and freely what happens to their personal data. This also includes the decision about when and for what these data may be used.
The 1983 Census Judgment defines the right to informational self-determination as follows:
"In this respect, the fundamental right guarantees the power of the individual to determine, in principle, the disclosure and use of his personal data."
The right to informational self-determination thus guarantees protection of personal data against unlimited collection, storage, use and disclosure of personal data. This also includes government data collection, as well as data processing and data transmission by a public body. In addition, the right protects personal data from being processed for a purpose not consented to by the owner. A significant parallel to the GDPR, which also applies in Article 6 is described.
It should be noted that the right to informational self-determination does not exist without limits. Like other fundamental rights, it can also be restricted by legal means.
Why does informational self-determination exist?
Informational self-determination protects privacy. Already in the "Census of Nations" was noted:
"A social order and a legal order enabling it in which citizens can no longer know who knows what, when and on what occasion about them would be incompatible with the right to informational self-determination. Those who are uncertain whether deviant behaviors will be noted at any time and permanently stored, used, or shared as information will try not to be conspicuous by such behaviors."
Informational self-determination therefore exists in order to achieve compatibility between the social order and the legal order. According to the ruling, this is only possible if each individual can find out "who knows what, when and on what occasion about them". With the census judgement it became clear that there were concerns among the population that behaviour patterns could be documented and permanently stored. In order to be protected from this collection and storage of data as well as information, it is possible for citizens to restrict their behavior. As a result, the Federal Constitutional Court declared the transmission regulations of the then Census Act to be incompatible with the Basic Law.
What is necessary for informational self-determination?
In order to fulfil the principles of informational self-determination, the privacy of the individual must be protected. This is based on certain legislation, which at the same time represents an important condition for democracy and the rule of law. One such piece of legislation is the General Data Protection Regulation, which has the effect of increasing the protection of personal data and of strengthening the fundamental right to informational self-determination strengthens. In times of digitalisation, progressive data collection and networking, however, it is also the principles of data minimisation, privacy by default and privacy by design that are becoming increasingly necessary in the technical alignment and collection of data in order to meet the requirements of informational self-determination.
When and to whom does the right to informational self-determination apply?
As long as no rights of others are violated, or there is no violation of the constitutional order or moral laws, the right to informational self-determination applies without restriction to everyone. There is nevertheless an exception, because informational self-determination can be legally restricted. This can be, for example, a general legal reservation, which restricts the fundamental right. However, formal and substantive constitutional laws are also capable of justification.
Importance for companies
With the entry into force of the GDPR, the principles of the right to informational self-determination must also be respected by companies. This affects all companies in the EU, as well as companies that process the data of European citizens.
The principles governing the processing of personal data are laid down in Article 5 of the GDPR defined:
- (a) Legality - Processing in good faith, transparency
- (b) Earmarking - personal data may only be collected for specified, explicit and legitimate purposes
- (c) data minimisation - collected data may only be collected in a necessary manner
- (d) Accuracy - personal data must be factually correct and up to date. Data which show rejections must be deleted or corrected immediately.
- e) Memory limitation - data collected may be stored only for as long as necessary for the purpose for which it was collected
- f) Integrity and confidentiality - Data must be processed in such a way as to ensure adequate protection by TOMs
If responsible parties do not comply with these obligations or do not have appropriate proof, they are in breach of accountability. in accordance with Art. 5 (2) GDPR.
In addition to these principles, the GDPR also imposes further requirements. These include the principle of prohibition with reservation of consent, which provides that a prohibition on the processing of personal data that exists in principle is lifted by a consent in the form of a legal basis.
Attention must also be paid to the lawfulness of the processing, which in Article 6 of the GDPR as well as the processing of special categories of personal data in accordance with Article 9 GDPR. In both cases, processing is lawful if the data subject gives his consent to the processing of his data.
Companies must be aware of their Duty to inform according to Article 12 GDPR and to inform the parties concerned of the measures taken to comply with them. technical and organisational measures inform. Data subjects must be informed at the outset about the collection and processing of their personal data. This must also be done if the data is released voluntarily, e.g. in the context of an application. Data subjects have the right to have the data collected about them changed or deleted at any time.