The GDPR and its scope
Let’s first deal with some of the basics of the GDPR, so let’s get started. Who is this regulation about? When does it apply and when doesn’t it? And did you realise that the GDPR rules are also applicable to organisations outside the EU?
The General Data Protection Regulation contains rules concerning the protection of natural persons (in other words, individuals) when their personal data are processed and rules on the free movement of personal data, as stressed in Article 1(1) GDPR. Article 1(2) GDPR provides that the GDPR seeks to protect fundamental rights and freedoms of natural persons and, more specifically, their right to the protection of personal data. It means that, as such, the Regulation does not deal with the rights and freedoms of legal persons, such as companies.
One might be wondering to what types of processing of personal data the Regulation applies or, in other words, what its material scope is. The Regulation is applicable to the processing completely or partly by automated means, such as, for instance, carried out with the use of computers containing digital databases. In addition, the processing of personal data by any other means is also regulated by the GDPR when these data are included in a filing system or are intended to be used in such a filing system, as stated in Article 2(1) GDPR. This can be the case when personal data are manually processed and are contained or are to be contained in a filing system with structured sets of personal data that are accessible in accordance with certain criteria, such as manual files printed on paper.
There are also situations that are not covered by the GDPR and they are addressed in Article 2(2) GDPR. In the first place, this is the case when the processing is carried out in the course of activities to which European Union law does not apply, for example, those related to national security. Secondly, the GDPR is not applicable to the processing of personal data by EU Member States when it concerns the activities performed within the framework of the common foreign and security policy concerning, for instance, political cooperation, prevention of conflicts and humanitarian aid. Thirdly, the GDPR does not regulate the processing of personal data that natural persons carry out as part of purely personal or household activities, for example, correspondence and social networking. Finally, the Regulation does not apply to the processing by competent authorities, such as the police, in the context of criminal justice, which is governed by the new Police and Criminal Justice Data Protection Directive.
A few words should also be devoted to the territorial scope of the application of the GDPR. Where do persons and organisations have to be located in order to be obliged to comply with the Regulation? According to Article 3(1) GDPR, it is applicable to the processing of personal data by controllers and processors with an establishment in the European Union. In this regard, it does not matter whether the actual processing is carried out in the Union or outside.
Importantly, Article 3(2) GDPR states that, when controllers and processors are not established in the European Union but process personal data of individuals who are in the Union, the Regulation is applicable. Such processing activities must relate to the offering of goods or services for a payment or for free to these individuals or to the monitoring of the behaviour of these persons as long as this behaviour takes place in the European Union, as indicated in Article 3(2)(a) and (b) GDPR. Finally, the GDPR regulates the processing of personal data by controllers that are not established in the Union but somewhere else where laws of a EU Member State apply by virtue of public international law. This can be the case in diplomatic missions or consular posts of EU Member States.
© University of Groningen