The GDPR builds on the basic assumption (of the German Federal Constitutional Court) that under the conditions of automatic data processing, there is no longer any "trivial" data. The law therefore never sees the processing of personal data as risk-free, but attaches obligations to be fulfilled preventively to every processing operation.

The GDPR therefore has a largely preventive character (Risikoverwaltungsrecht = administrative law regulating risk). Unlike most civil law, however, the GDPR considers general life risks to be in need of regulation. Unlike most criminal law, the GDPR does not rely on the deterrent effect of penalties.

Rather, the Verbotsprinzip (precautionary principle) [Tile PC.08], together with all preventive obligations, establishes an entire Vorfeldschutzkaskade (von Lewinski) which means a whole cascade of obligations that have preventive character.