The GDPR follows a "one size fits all" approach:

►  In principle, the same obligations apply to every controller - regardless of whether it is a public authority or a private person, a large or a small company, a natural or a legal person, a commercial or a non-profit organisation.

 

►  In principle, the same obligations apply to every processing - regardless of whether money is earned with the processing or not, whether the processing is self-interested or serves the common good, whether private or public purposes are pursued with the processing, whether it is an everyday process or a complicated algorithm.

This "one size fits all" approach is far too undifferentiated. It does not take into account the highly diverse capabilities of controllers (the same rules apply to GAFA as to the "baker around the corner").

And the GDPR basically treats low-risk and high-risk data processing in the same way. The risk-based approach of the GDPR only mitigates this to a minor extent [Tile BC.02].

In particular, the "one size fits all" approach does not take into account whether the processing is itself protected by fundamental rights [Tile CO.01].

Sector-specific regulations would be preferable. The obligations of the controller should be much more dependent on the purpose, context and risk of processing, as well as on the public interest benefit. A stronger distinction between state data processing and data processing by private parties would also be desirable.

Even advocates of the current data protection law also criticise the "one size fits all" approach (see noyb, Statement: 3rd Anniversary of the GDPR).