Risk to the Right to the Protection of Personal Data: An Analysis Through the Lenses of Hermagoras

One of the novelties of the General Data Protection Regulation (GDPR) will be the application of the risk-based approach in European data protection law on a larger scale. Although the Regulation uses the term ‘risk’ in numerous provisions, it does not answer the question ‘What is risk to a right and how should it be assessed?’. Although Article 35 (Data Protection Impact Assessment, DPIA) provides a tool to assess these risks, to keep the GDPR suitable for assessing new technologies, the conduct of a DPIA should be based on solid and clear understanding of the provisions. The applicability and suitability of a risk assessment process is yet to be discovered if the risk relates to a fundamental right. A unified perception of risk to a right is necessary as it is the core element of the risk-based approach, furthermore, a varying perception of risk to a right would undermine the endeavours of the GDPR relating to harmonisation. This contribution elaborates on the attributes of risk to a right and advises a unified understanding of risk to a right and risk to the right to the protection of personal data.