The GDPR has been in force for over three years, but much of it remains unclear.
And that is why we’ve drafted this guide. We want to help you understand the GDPR better.
We have created this guide with the data controller (a.k.a. the person responsible for ensuring compliance with the GDPR) in mind.
This means that when we say “the GDPR applies to you,” what we mean is “the GDPR creates duties and obligations that you have to fulfill.” We are more concerned with your obligations than with your rights. Sorry.
We will not follow a strictly chronological order, moving from article 1 onwards. Instead, we’ll unpack the concepts that form the core of the GDPR so that you can have a better understanding of how the Regulation works.
In the first installment of the series, we’ll briefly summarize the GDPR and then discuss its material scope, trying to answer the vexed question: “Does this nightmarish stuff apply to me?”
Please be aware that legal matters are, by nature, nuanced and that nothing presented here can be considered legal advice. If you have doubts, we recommend you contact a lawyer specializing in Data, IT, or Privacy Law.
What is the GDPR?
GDPR stands for “General Data Protection Regulation” (that’s why we’ll also call it “the Regulation” throughout this guide).
Legally speaking, the GDPR is a binding regulation enacted by the European Union. It was adopted in 2016 and has been in force since 2018.
As Article 1.1 states, the Regulation «[…] lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data».
Article 1.2 further clarifies the GDPR’s goals: «This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.»
So, in very plain words, the GDPR is an EU-enacted regulation protecting the personal data of natural persons. The Regulation creates a fairly tough, comprehensive, and complex framework. We are going to deal with it in the upcoming installments.
But before we move on, let’s clarify a fundamental yet often misunderstood notion: personal data.
What is personal data?
Under the GDPR, personal data is not a synonym for “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership” or “genetic and biometric data,” as quite a few people seem to believe.
Sure: those categories we’ve mentioned are personal data. But the definition set forth by article 4(1) GDPR is much broader.
According to it, personal data means:
«[…] any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.»
In practical terms, personal data include pretty much everything one can think of about a natural person (name, address, telephone number, face, age, sex, etc.) and even a few things one wouldn’t normally associate with this notion (email address, IP, location data).
The takeaway? You deal with personal data much more frequently than you might believe.
Does the GDPR apply to you?
Luckily, it’s not enough to stumble across personal data to trigger the GDPR application.
For it to apply to you (i.e., to create obligations that bind you), you have to satisfy both the material and the territorial criteria set forth by the Regulation in Articles 2 and 3, respectively.
We’ll deal with the territorial scope in the next installment. For now, let’s concentrate on the material scope.
Your Guide to the GDPR: the Material Scope
In legal English (also known as “legalese”), the material scope of a rule refers to the cases covered by that rule. In other words, asking “what’s the material scope of this rule?” is like asking “when does this rule apply,” “which cases are regulated by this provision.”
So, when does the GDPR apply?
The answer to this question is provided by Article 2 of the Regulation. The provision starts by articulating the general rule and then lists several exceptions.
We’ll deal with the general rule first, clarify its meaning by offering key definitions, and then address the exceptions.
The general idea
According to Article 2.1,
«This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.»
Let’s break it down. The GDPR applies:
- To all processing of personal data, when such processing is carried out with automated means; and
- To the processing of personal data, which forms part or will form part of a filing system, when the processing is carried out manually.
Self-evident, isn’t it?
Yeah, you’re right. Let’s try to decrypt this provision by clarifying what “processing” means and what are “automated means” and “filing systems”.
What is processing?
Processing is defined by Article 4.2 in… broad terms. According to the article, “processing” means:
«[…] any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.»
You can happily forget about everything that comes after the first comma because the first part of the sentence tells it all: pretty much everything you do with personal data amounts to “processing.”
So if you pictured “processing” as some highly technical activity, think again. You are constantly processing personal data. It’s fairly hard to exist in this modern world and not do so.
Automated means & filing system
Now, you might be thinking something like, “Yeah, so pretty much everything is processing. But not all processing is covered by the GDPR, right? We’ve said it’s only processing carried out through automated means or processing of data forming part of filing systems.”
And that’s true… but it doesn’t do much to restrict the GDPR’s material scope, as the amount of processing that doesn’t fall into either category is negligible, to say the least.
The GDPR doesn’t define “automated means.” Still, it’s fairly clear from other provisions that the expression refers to operations performed without human intervention (think of algorithms and AI).
Notice that the exact wording of the provision is «processing of personal data wholly or partly by automated means.» So if you are carrying out a processing activity that involves automated means in any way (even marginally), the GDPR applies to you.
On the other hand, if you process personal data through purely manual means, then the GDPR would apply only if the data was «part of a filing system or […] intended to form part of a filing system».
Now, unlike with the “automated means,” the GDPR does define a “filing system,” but it’s a somewhat convoluted one that raises more doubts than it clarifies.
For now, it suffices to say that a filing system is any organized set of personal data.
Do you have a file called something like “Employees’ Salary” at your company’s headquarters? Does this file list the employees in alphabetical order? Then you have a filing system, and the personal data that forms part of it has to be processed in accordance with the GDPR – even when the processing is purely manual.
Summing up the general rule
The GDPR applies:
- To all activities concerning personal data, when they are carried out at least partially with automated means (computers and the like); and
- To all activities concerning personal data that is part or will form part of an organized system, when such activities are carried out manually.
Having established the general rule, let’s see the exceptions.
According to article 2(2), the GDPR does not apply:
- When the processing happens during an activity EU law doesn’t regulate (such as activities concerning national security);
- When Member States carry out the processing in the context of the EU’s common foreign and security policy;
- When the processing is carried out by a natural person and happens in the context of a purely personal or household activity;
- When the processing relates to criminal offenses.
These are not far-reaching exceptions.
If you own a company, chances are none applies to you (but again, we always recommend checking with a lawyer).
As for natural persons, the only relevant exception is the one listed under the letter “c.” Thanks to it, private individuals don’t have to worry about the GDPR when they share pictures with their aunt or email their mom a copy of her ID or save their friend’s phone number, as all those activities qualify as “purely personal.”
However, they are still bound by the Regulation when they carry out any other type of processing – including, crucially, all data processing they undertake in a professional capacity.
Unlike what you might have heard, no exception is made based on a company’s size. So while it is true that smaller companies don’t have to comply with some obligations such as keeping records of their processing activities or appointing a Data Protection Officer, they are still subjected to the GDPR provisions.
So, we have established that the GDPR’s goal is to protect personal data – and we have seen what “personal data” stands for.
We’ve also discussed the material scope of the GDPR, explaining when the Regulation applies. However, material scope alone is not sufficient. For the GDPR to apply to you, you also need to satisfy its territorial criterion.
In the next installment, we’ll see where the GDPR applies.