In protecting personal data, the European Union has sought to strike a careful balance between the right to privacy and the right to freedom of expression and information. Both respect for private life and the freedom to receive and impart information are fundamental rights, which means that the development of a “new” right to the protection of personal data must take into account both competing rights.
A number of factors led to the adoption of the personal data protection article of the Charter. The increased economic integration of the European Union through the internal market has led to a substantial increase in cross-border flows of personal data between those involved in a private or public capacity in economic and social activity in the Member States. At the same time, technological advances have made it easier to share information and transmit personal data throughout the EU. In order to promote this free exchange of information while also respecting the privacy rights of individuals, the EU has developed a framework whereby personal data is protected under the Charter and in various EU laws and regulations. The EU has sought to both harmonize existing privacy laws with respect to personal information sharing and secure the rights of individuals in protecting their own personal data.
The term personal data includes any information relating to an identified or identifiable natural person. Personal data therefore covers the name of a person as well as other information that could be used to identify a person, such as his telephone number, date of birth and / or information about his working conditions or hobbies kept in conjunction with his name, national insurance number etc. It also includes a person’s image caught by CCTV footage, for example. In a case involving a man who was filmed by CCTV cameras while suffering from depression and attempted suicide, the subsequent release and broadcast of the footage on local television was deemed a violation of his privacy. The person caught on camera in this state was entitled to the protection of his identity.
Personal data that is contained in a database for official use may be accessible to third parties, but only in a manner that ensures protection of fundamental freedoms and rights. Any decision to disclose such information must depend on a balancing of the interests of the provider of the information on the one hand and the person who legitimately needs it on the other. If the person needing the information has a legitimate interest, and if accessing the personal data will not adversely affect the rights of the person providing the information, then the data may not be protected.
Processing of Personal Data
Processing of personal data entails any operation or set of operations that is performed upon personal data, whether or not by automatic means. Examples of such operations include disclosure by transmission, dissemination or otherwise making data available. It also includes mere storage of the data. The loading of personal information on to a webpage is therefore considered processing of personal data because it is made accessible to an indefinite number of people. However, if the webpage is created solely in the exercise of an individual’s freedom of expression and without any professional or commercial purpose, e.g. as part of an artwork, then it may not be subject to protection. A balance must be struck between the freedom of expression exhibited by the webpage creator and the right to privacy of the individuals about whom data has been placed on the internet. The right to protection of personal data does not cover the processing of personal data carried out in the course of private or family life of individuals, such as correspondence and the “social” holding of records or addresses.
When personal data is processed for public dissemination, it is subject to limitations in light of the right to privacy. Thus the processing of personal data must be necessary for and appropriate to the public interest objective being pursued. For example, disclosure of salary and pension information for the purposes of a public audit does not violate the right to personal data protection because it contributes to the proper management of public funds pursued by the legislature. In addition, information contained in an application for a high-level position in national security will not be protected because of the strong public interest involved. However, when personal data is collected, stored, and used by intelligence authorities without the individual having an opportunity to refute its contents, it amounts to a violation of private life and is prohibited.
Other commercial interests may also trump the right to protection of personal data. In a case involving pirated goods bearing the trademark "Adidas,” it was found that the interest of a trademark owner took priority over the interest of an individual in preventing disclosure of personal data. The German company holding the trademark objected to a Swedish law that prevented customs officials from disclosing the names and addresses of people receiving the pirated goods. It was found that the disclosure of names in the context of an infringement of intellectual property rights did not involve a violation of fundamental rights and freedoms.
The fundamental right to private life includes the right to protect information regarding one’s health status. Respecting the confidentiality of health information is seen as necessary to preserve patients’ confidence in the medical profession and in the health services in general. Without protection of personal medical data, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment. The law is required to protect sensitive medical data, especially in cases involving HIV patients who may be subject to social stigma. It follows, then, that medical information is safeguarded under the protection of personal data. This protection is subject only to restrictions on grounds of public welfare, including investigation pursuant to judicial proceedings. Because this information is private, an individual cannot be subjected to a medical test against his will, nor can the results of the test be made known to his employer. Sensitive personal data, such as information on medical conditions, cannot be processed without the express consent of the concerned individual.
 Peck v. United Kingdom, 28 January 2003
 Leander v. Sweden, 26 March 1987
 Rotaru v. Romania, 4 May 2000
 Z v. Finland, 25 February 1997