Table of Cases
Table of Legislation
Abbreviations
1. The reasons for research on data subjects
1. The notion(s) of the data subject(s) in a digital changing world
2. Research question
3. Three related research objectives
4. Approach and scope
5. Societal and scientific relevance and the state of the art
6. Outline
2. The notion of the data subject: an average individual?
1. Introduction
2. The notion of the data subject in the EU data protection framework in general
3. The first requirement of the GDPR definition: the ‘living’ person
4. The second requirement of the GDPR definition: the natural person (and not legal persons)
5. The third requirement of the data subject definition: identified or identifiable
6. The fourth requirement of the data subject definition: to whom data are related
7. Preliminary conclusions: universalism versus particularism
8. The average data subject as the average consumer?
9. The average consumer in EU law: the Unfair Commercial Practices Directive
10. Criticisms and developments: the relatively average consumer
‘Average consumers’ in other parts of EU consumer law
Critical remarks on the notion of ‘average’ consumer
11. Is there an average data subject in the GDPR?
12. The hybrid approach of the GDPR to average subjects and the room for contextual vulnerability
13. Concluding remarks
3. Who is the vulnerable individual?
1. From the average to the vulnerable data subject
2. Theorizing individual vulnerability: the layered theory
3. Vulnerability and power imbalance: structural imbalance
4. Layered vulnerability and intersectionality
5. Vulnerability and the importance of the dignity principle
6. Vulnerability and human rights: the rise of the concept of vulnerable persons in the ECtHR jurisprudence
7. The rise of vulnerable individuals in EU secondary law: an overview
8. Vulnerable research subjects in EU law
9. Vulnerable consumers in EU law
The European Commission Report on Consumer Vulnerability in the EU
Layers of relational vulnerability for consumers
10. Conclusions
4. The vulnerable data subject in the GDPR
1. Introduction: situating vulnerable individuals in the data protection field
2. Universalistic or particularistic approach to data subjects’ vulnerability
3. Data subjects’ vulnerability during the data processing or as an outcome of the data processing
4. Effects of data subjects’ vulnerability
5. How consumer vulnerability literature could inform the analysis on vulnerable subjects in the data protection framework
6. Manifestation of data subjects’ vulnerability in the text of the GDPR: first analysis
7. Children as the typical vulnerable data subjects
8. Classifying data subjects’ vulnerability in relation to power imbalance
9. The proposed Artificial Intelligence Act: a new approach to vulnerable data subjects?
10. Concluding remarks
5. Data protection principles and vulnerable data subjects
1. Introduction
2. The principle of fairness: first locus of the protection of data subjects’ vulnerability
The first nuance of fairness: procedural fairness. A way to mitigate processing-based vulnerability?
The second nuance of fairness: fair balancing. A tool against power imbalance?
The third nuance: fairness as good faith. A hybrid way to mitigate the two facets of data subjects’ vulnerability?
The need for a vulnerability-centred understanding of fairness
3. The principle of lawfulness: second locus of the protection of data subjects’ vulnerability
Consent in case of vulnerable data subjects: limits and potentialities
Other lawful bases for processing data of (vulnerable) data subjects
Legitimate interests and vulnerable data subjects
Sensitive data: a concept for protecting (more) vulnerable data subjects?
4. The purpose limitation principle: third locus of the protection of data subjects’ vulnerability
5. The accuracy principle
6. Conclusions
6. Data protection rights and duties and vulnerable data subjects
1. Introduction
2. Data subjects’ rights in the GDPR: towards a vulnerability-based interpretation?
3. Transparency rights and the types of the data subject
4. The right to erasure and the vulnerable subjects
5. The right to object and ‘the particular situation’ of vulnerable data subjects
6. The right to object and ‘the particular situation’ in the different Member States
7. The right not to be subject to automated decision-making and the vulnerable data subject
8. Accountability and vulnerable data subjects: the risk-based approach in the GDPR
The ‘categories’ of data subjects in the accountability duties
The risk-based approach and the layers of data subjects’ vulnerability
9. Data protection by design
10. Data Protection Impact Assessment and the vulnerable data subjects
11. Data subjects’ vulnerability as a risk factor in different national DPIA lists
First group: the Member States with a minimalist approach to vulnerability as a high risk for data protection
Second group: the Member States where vulnerability combined with another risk factor determines the high risk of data processing
Third group: the Member States where vulnerability is a significant risk factor, even considered alone
Fourth group: the Member States where the notion of vulnerability is better clarified and conceptualized
12. The content of a DPIA: towards a vulnerability-centred implementation
13. Conclusion: a vulnerability-attentive analysis of the GDPR
7. Assessing (and mitigating) layers of data subjects’ vulnerability: Using the DPIA as a model
1. Introduction
2. Risks to ‘fundamental rights and freedoms’: which ones?
3. Analysing the severity of risks: from mere effects to damages
4. Analysing the likelihood of risks
5. Mitigation measures: a vulnerability-aware application of the data protection safeguards
6. When vulnerability layers cannot be mitigated: the backstop scenario
7. Conclusions
8. The limitations and the alternatives of a vulnerability-based interpretation of the GDPR
1. Introduction
2. The risks of paternalism in a vulnerability-based approach to data protection
3. Lack of legal certainty and foreseeability?
The inflation risk: is everyone vulnerable?
4. The risk of an individualistic approach versus group-based vulnerability: lessons from ‘group privacy’ literature
5. The problem of interpretation: too much attention to a hidden concept in the GDPR?
6. Interpretational issues in a vulnerability-aware implementation of the GDPR
Is the GDPR perpetuating vulnerability itself? Inputs for further research
7. Policy recommendations: how to alter the data protection law to improve the protection of vulnerable data subjects
Policy option 1: the category-based approach to vulnerability
Policy option 2: the general approach to vulnerability
8. Conclusions
9. Conclusions: The layers of data subject’s vulnerability and the way ahead
1. The need for a spectrum
2. Who is/are the data subject/s?
3. The average data subject
4. The compelling necessity to consider vulnerable data subjects
5. Human vulnerability: the layered approach
6. The two types of vulnerable data subject: a new taxonomy
7. Vulnerable to what? The choice of legal or similarly significant effects
8. Vulnerability as a heuristic tool in the GDPR: a subject-centred perspective of the risk-based approach
9. Is the GDPR enough?
10. Call for further research
Sources and bibliography
Secondary Sources
Guidance documents, opinions, recommendations, and statements
European Data Protection Board
European Data Protection Supervisor
European Commission and Parliament
National DPA documents
Academic literature
Index