CENTRUM FÖR RÄTTVISA v. SWEDEN JUDGMENT
2. Such data must be processed fairly for specified purposes and on the basis of the
consent of the person concerned or some other legitimate basis laid down by law.
Everyone has the right of access to data which have been collected concerning him or
her, and the right to have them rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
Article 11 – Freedom of expression and information
“1. Everyone has the right to freedom of expression. This right shall include
freedom to hold opinions and to receive and impart information and ideas without
interference by public authority and regardless of frontiers.
2. The freedom and pluralism of the media shall be respected.”
B. European Union directives and regulations relating to protection
and processing of personal data
93. The Data Protection Directive (Directive 95/46/EC on the protection
of individuals with regard to the processing of personal data and on the free
movement of such data), adopted on 24 October 1995, regulated for many
years the protection and processing of personal data within the European
Union. As the activities of Member States regarding public safety, defence
and State security fell outside the scope of Community law, the Directive
did not apply to these activities (Article 3(2)).
94. The General Data Protection Regulation, adopted in April 2016,
superseded the Data Protection Directive and became enforceable on
25 May 2018. The regulation, which is directly applicable in Member
States, contains provisions and requirements pertaining to the processing of
personally identifiable information of data subjects inside the European
Union, and applies to all enterprises, regardless of location, doing business
with the European Economic Area. Business processes that handle personal
data must be built with data protection by design and by default, meaning
that personal data must be stored using pseudonymisation or full
anonymization, and use the highest-possible privacy settings by default, so
that the data are not available publicly without explicit consent, and cannot
be used to identify a subject without additional information stored
separately. No personal data may be processed unless it is done under a
lawful basis specified by the regulation, or if the data controller or processor
has received explicit, opt-in consent from the data’s owner. The data owner
has the right to revoke this permission at any time.
95. A processor of personal data must clearly disclose any data
collection, declare the lawful basis and purpose for data processing, how
long data are being retained, and if they are being shared with any thirdparties or outside of the European Union. Users have the right to request a
portable copy of the data collected by a processor in a common format, and
the right to have their data erased under certain circumstances. Public