Skip to main content

Brussels Privacy Hub doctoral seminar with guest speaker Markus Schröder (University of Passau) on 'The risk-based approach in GDPR - Risk or opportunity for data protection?'

Location: Online
Add to personal calendar

The Brussels Privacy Hub (BPH) is organising a Doctoral Seminar series to give the opportunity to Ph.D. candidates working on privacy and data protection topics at the Law, Science, Technology and Society (LSTS) to present and discuss their work in progress. The aim of the series is to offer Ph.D. students at all research stages a training ground to refine and practice debating their scientific work, and to receive qualified feedback and questions from their peers and privacy and data protection experts. To this aim, each seminar will include a short presentation by the Ph.D. candidate, followed by an open discussion session with the audience. Seminars are also open to external participants. Find more information here.

On 28 February 2022, guest speaker Markus Schröder (University of Passau) will present his PhD project on 'The risk-based approach in GDPR - Risk or opportunity for data protection?'.

This event take place online. Interested participants wishing to take part online, who are not on that mailing list, can register by sending an email to  


The risk-based approach is one of the key elements of the GDPR. In the prevailing view, the risk-based approach serves to scale internal measures, but not to eliminate all measures required for establishing data protection compliance. This only seems consistent, since the legal requirements are not to be undermined by the risk-based approach, but only to be supplemented. But is this truly consistent? Could a risk-based approach rather substitute a rights-based approach? Would this even be legally possible? After all, the right to data protection is a fundamental right. Or is there actually no conflict between a risk- and a rights-based approach?

Under Article 8 (2) CFR it is considerable to see the risk-based approach as an “some other legitimate basis laid down by law”. Article 6 (1) (f) GDPR does not explicitly refer to the risk-based approach. But to process personal data for the purposes of the legitimate interests of the controller a balancing test is required as well. The risks according to Recital 75 also have to be evaluated in this balancing test. Therefore, the GDPR seems to accept the risk-based approach even with regards to the lawfulness of processing.

This research aims to clarify to which extend the risk-based approach is applicable within the current framework of the GDPR and Article 8 CFR.