Various GDPR provisions specify risk and damage categories, from which it can be derived which "rights and freedoms" it wants to protect, which risks it wants to avoid and which damage it wants to prevent.

Thus, it follows from Rec. 75, 83 (3) and 85 (1) GDPR that, in addition to preventing the occurence of “material damage” and “financial loss”, the GDPR also aims to prevent “other significant economic disadvantage”, because such damages could also be the consequence of the processing of personal data.

Only a few provisions use the term "damage": Art. 47 II f, 82 and 83 II a/c as well as EC 94 (2), 146 and 148 (3) GDPR. In the absence of further concretisation of the concept of damage, it is also unclear whether every breach of the GDPR already constitutes damage or whether a further (possibly noticeable) impairment of the “rights and freedoms” must be added.

Many GDPR provisions refer to the "rights and freedoms" of natural persons or data subjects that would be protected [Tile R.01]. However, it does not explicitly state which "rights and freedoms" are meant. The relationship between data protection infringement, impairment of “rights and freedoms” and harm therefore still raises many unresolved questions.

A purely harm-based approach is more commonly associated with US law. The harm-based approach focuses more on high penalties/fines for causing harm (rather than on the idea of risk prevention) and more on the use of the data (rather than on its collection and gathering). Many data protectionists consider the rights-based and/or risk-based approach of the GDPR superior [on the latter, see Tile BC.02].