Raphaël Gellert

European Data Protection Law Review, Jahrgang 4 (2018), Ausgabe 4, Seite 500 - 504

Raphaël Gellert

European Data Protection Law Review, Jahrgang 4 (2018), Ausgabe 3, Seite 391 - 395

Case C-25/17 Tietosuojavaltuutettu v Jehovah’s Witnesses, Judgement of the Court of Justice of the European Union (Grand Chamber) of 10 July 2018 – Article 3(2) Directive 95/46/EC (Data Protection Directive) read in the light of Article 10(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the collection of personal data by members of a religious community in the course of door-to- door preaching and the subsequent processing of those data does not fall under the exemptions to the scope provided by the first or second indent of that article. – Article 2(c) Directive 95/46 must be interpreted as meaning that the concept of a ‘filing system’, covers a set of personal data collected in the course of door-to-door preaching, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods. – Article 2(d) Directive 95/46, read in the light of Article 10(1) of the Charter of Fundamental Rights, must be interpreted as meaning that it supports the finding that a religious community is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.

Raphaël Gellert

European Data Protection Law Review, Jahrgang 3 (2017), Ausgabe 2, Seite 212 - 217

Raphaël Gellert

European Data Protection Law Review, Jahrgang 3 (2017), Ausgabe 2, Seite 180 - 186

Raphaël Gellert

European Data Protection Law Review, Jahrgang 2 (2016), Ausgabe 4, Seite 481 - 492

Recent years have seen the emergence of a so-called risk-based approach to data protection. It is meant to address the purported shortcomings of the traditional EU data protection principles (such as data minimisation, purpose limitation, etc) with regard to evolving data processing practices (eg, profiling, big data). It does so by replacing these principles with risk analysis tools, the goal of which is to assess the benefits and harms of each processing operation and on this basis to manage the risk, that is, to take a decision whether or not to undertake the processing at stake. Such risk-based approach has been hailed as diametrically opposite to the legal, rights-based nature of data protection. This contribution investigates this opposition and finds that the two approaches (risk-based and rights-based) are actually much more similar than is currently acknowledged. Both aim at managing the risks stemming from data processing operations. This is epitomised by the fact that they have the exact same modus operandi namely, two balancing tests, with risk reduction measures (known as safeguards in the legal context) associated to the second balancing. Yet, if both approaches manage data processing risks, they nonetheless do so differently. Whereas the risk-based approach manages risks in a contextual, tailor-made manner, the rights-based approach manages risks from the outset once and for all. The contribution concludes with a discussion and possible policy recommendations highlighting the benefits and drawbacks of each approach.