In the GDPR, the Verbotsprinzip (i.e. precautionary principle) applies: the processing of personal data is generally prohibited unless there is a legal ground for permission [in detail, see Tile PC.08].
This regulatory technique requires numerous exceptions, the scope of which is regularly the subject of dispute and legal uncertainty.
This regulation technique is hostile to processing. It is intended to deter the processing of personal data, and it does indeed have such a deterrent effect [Tile C.18].
Its basic idea is behaviour control: the processing of personal data is initially regarded as socially undesirable behaviour. The consequence is that even processing that is protected by fundamental rights and socially desirable is under constant pressure to justify itself.
The general suspicion against every controller has a symbolic effect that triggers "chilling effects" [Tile C.19]. Citizens no longer make use of their fundamental rights, although they would be entitled to do so (example: photography). The fact that the disclosure of one's own personal data and the processing of other people's personal data are also protected by fundamental rights is lost sight of [Tile CO.01].
The principle of prohibition leads to the privatisation of the social and the legalisation of the everyday. Fundamental rights are no longer not only rights of defences against the state but apply horizontally in the relationship between private parties, which leads to obligations that normally have to be fulfilled by the state only [Tile C.12].