At least 82 GDPR provisions oblige the controller to make balancing decisions. Thus, there are in the GDPR:
► 3 fairness tests
► 8 balancing of interests
► 2 compatibility checks
► 11 suitability tests
► 30 necessity tests
► 12 appropriateness tests
► 3 proportionality tests
► 13 risk assessments
Model for many of these balancing requirements is the Gesetzesvorbehalt; i.e. the constitutional duty to restrict fundamental rights only by law that has to meet certain requirements:
1. The state has to pursue a legitimate, legally defined goal.
2. The interference with fundamental rights must be suitable for achieving the goal.
3. The interference must be necessary for achieving the goal (i.e. it must be the relatively mildest means).
4. The interference is appropriate (i.e. proportionate when weighed against other fundamental rights).
Since every processing of personal data is at least considered an interference with the fundamental right to data protection, every processing must be measured against these strict standards of the proportionality test. In data protection law, the requirements are sometimes "called" differently, but pursue the same purpose:
Verbotsprinzip: The Verbotsprinzip (i.e. the precautionary principle) of the GDPR requires consent or a legal basis for any data processing. This corresponds to the Gesetzesvorbehalt.
Purpose limitation: The principle of purpose limitation requires that data processing has a legitimate purpose. This also corresponds to the Gesetzesvorbehalt.
Proportionality: Data processing must be suitable, necessary and proportionate to achieve the purpose (cf. only Art. 5 I c and Rec. 39 (9) GDPR). This corresponds to the principle of proportionality.
Balancing fundamental rights: The numerous balancing of interests and suitability tests of the GDPR ultimately require the controller to weigh Rechtsgüter (i.e. legally protected interests), which come very close to balancing fundamental rights. This corresponds to the case law of the German Federal Constitutional Court, according to which it is the task of the legislator to strike a balance between the severity of the encroachment on fundamental rights and the duty to protect fundamental rights when state powers of intervention are enshrined in law.
All of these duties of balancing oblige both state authorities and private individuals. Thus, principles originally under state and administrative law also apply in a structurally similar way to natural and legal persons under private law. This raises numerous questions:
- Is there an indirect or even direct Drittwirkung (i.e. horizontal effect) of fundamental rights?
- Does the GDPR in its entirety not violate the provision of the German Federal Constitutional Court [Judgement of 22 February 2011, para. 48], according to which the citizen is recognised by the fundamental rights as a free person who is self-responsible in the development of his or her individuality, may shape his or her actions according to subjective preferences in private freedom without being fundamentally accountable for this, may only be called into service by the legal system in a limited manner and in particular in accordance with proportionality?
- Do private parties have to meet exactly the same requirements as public authorities when making the balancing decisions?
The GDPR itself does not provide answers to these questions. However, since EU law does not "function" according to the same principles as national or even German constitutional law, the solutions and principles developed here by case law cannot be applied to the GDPR without further ado.