Data Privacy and Cybresecurity

Chapter 3: Subject matter and scope – Unlocking the EU General Data Protection Regulation

Article
|
9 min read

Previous Chapter | Next Chapter | Index of Chapters

Why does this topic matter to organisations?

Understanding the subject matter and the scope of EU data protection law is fundamental to determining whether this law applies to an organisation’s business activities. In essence, an organisation cannot do business confidently and efficiently unless it understands the legal requirements that affect its activities.

What types of organisations are most affected?

EU data protection law is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. Essentially the same requirements apply to small businesses and large multinationals, with very few exceptions. Consequently, organisations of all types are affected by EU data protection law.

What should organisations do to comply?

Organisations should familiarise themselves with the key issues raised by the GDPR (which are summarised in Chapter 2), review their data processing activities and consider whether EU data protection law applies to those activities. This will enable organisations to work out how the GDPR affects their business operations, and to identify the issues that need to be addressed.

 

Icons to convey information quickly

The following icons are used in the table, to clarify the impact of each change:

 Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist).

 Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged).

 The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue).

 The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same).

 The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations).

 The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written).

 

Issue The Directive The GDPR Impact

Aims and objectives of the law

EU data protection law aims to govern the processing of personal data and to ensure that such processing is fair and lawful. It is also designed to give effect to the fundamental right to privacy, enshrined in Art.7 of the CFR and Art. 8 of the ECHR.

Rec.1-5; Art.1

The Directive intended to:

  • protect the fundamental rights and freedoms of data subjects;
  • enable the free movement of personal data within the EU;
  • contribute to economic and social progress and trade; and
  • address the processing of personal data in the light of technological progress.

 

 Rec.2-7; Art.1

The GDPR is intended to:

  • protect the fundamental rights and freedoms of data subjects;
  • enable the free movement of personal data within the EU;
  • contribute to economic and social progress and trade;
  • address the processing of personal data in the light of technological progress; and
  • harmonise data protection laws across the EU.

 The aims of both the Directive and the GDPR are closely aligned. However, the Directive led to a “patchwork” of similar but not identical data protection laws across the EU. In theory, the more harmonised approach under the GDPR increases the ability of organisations to do business across the EU, with fewer inconsistent national compliance requirements. The GDPR thereby provides greater legal certainty for organisations.

Data to which the law applies

EU data protection law applies to personal data.

Art.2(a)

The Directive protected the personal data of natural persons, but did not specifically exclude the personal data of deceased persons.

 Rec.27, 158, 160; Art.1(1)‑(2), 4(1)

The law protects the personal data of natural persons, but does not apply to data of deceased persons. However, Member States may provide for rules regarding the processing of data of deceased persons.

 The GDPR clarifies that EU data protection law does not apply to the data of deceased persons. This issue is not totally clear in the Directive and the Member States have addressed it differently. However, given the latitude granted to Member States under the GDPR, organisations may continue to experience some variations across the EU in their obligations regarding the personal data of deceased persons.

Systems to which the law applies

EU data protection law only applies to personal data that are processed in the context of:

  • automated systems (e.g., any electronic database or computerised filing system); or
  • relevant filing systems.

Rec.15, 27; Art.3

The Directive applied to the processing of personal data:

  • by automatic means (e.g., a computerised system or database); and
  • by other (non-automated) means that form part of a relevant filing system.

The protection of individuals should be technologically neutral and should not depend on the techniques used.

 Rec.15; Art.2(1)

The GDPR applies to the processing of personal data:

  • by automatic means (e.g., a computerised system or database); and
  • by other (non-automated) means that form part of a relevant filing system.

The protection of individuals should be technologically neutral and should not depend on the techniques used.

 Both the Directive and the GDPR state that EU data protection law should be technologically neutral.

Persons to whom the law applies

EU data protection law applies across all sectors to all organisations that are subject to the law.

Rec.2; Art.1, 2(d)

The Directive applied to natural and legal persons, public authorities, agencies or any other bodies processing personal data.

 Rec.1, 27; Art.4(7)

The GDPR applies to natural and legal persons, public authorities, agencies and other bodies which process personal data.

 The GDPR applies to the same persons and entities as the Directive (although it should be noted that processors have specific compliance obligations under the GDPR—see Chapter 11).

Exclusions and exemptions

EU data protection law explicitly excludes and exempts certain activities from its scope.

Rec.13, 16; Art.3(2)

The following processing fell outside the scope of the Directive: …

  • any activity outside the scope of EU law (e.g., activities of a Member State in relation to national criminal law);
  • ……any activity performed by a Member State for purposes such as ensuring national security or protecting economic or financial interests; and
  • ……any activity performed by a natural person in the course of a purely personal or household activity.

 Rec.16-19; Art.2(2)-(3)

The following processing is outside the scope of the GDPR:

  • any activity outside the scope of EU law (e.g., activities of a Member State in relation to national criminal law);
  • any activity performed by Member States when carrying out activities in relation to the common foreign and security policy of the EU;
  • any activity performed by a natural person in the course of a purely personal or household activity;
  • any processing by the EU itself; and
  • any activities performed by national authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, or performance of judicial functions.

 The Directive and the GDPR exclude a number of activities that, while they constitute the processing of personal data, are outside the scope of EU data protection law (e.g., because they fall outside the legislative competence of the EU). These activities may still be governed by differing national laws. The GDPR makes one material change, which is that processing performed by national police forces and courts (for certain functions) is not subject to the GDPR, and is instead subject to a separate EU Directive on policing and criminal justice. It should also be noted that the UK, Ireland and Denmark have an opt-out from that Directive, which may result in further inconsistent requirements across those Member States.

 

Commentary: New focus on harmonisation

Many of the underlying principles of the Directive and the GDPR are essentially the same. However, the GDPR places significant emphasis on increasing harmonisation across the EU. The intention of this approach is to facilitate the free flow of personal data in the digital single market and reduce the administrative burden on organisations that have faced inconsistencies in their data protection compliance obligations from one Member State to the next.

Case law: The "household purposes" exemption

As clarified by the CJEU in Ryneš (Case C-212/13), the "household purposes" exemption is strictly limited to purely personal activities (e.g., personal correspondence or personal use of social networking services). Activities that are partly personal and partly professional (e.g., sending correspondence that includes both social content and business-related content) do not benefit from this exemption.

For the avoidance of doubt, organisations that provide services to individuals for such purposes (e.g., social network providers) do not benefit from this exemption.

Example: Relevant filing systems

Q. The GDPR (and, historically, the Directive) only applies to personal data within automated systems (e.g., computerised systems and databases) and, for hard-copy documents, "relevant filing systems". What is a relevant filing system?

A. As set out in the Glossary, a "relevant filing system" is any structured set of personal data that can be searched or accessed by reference to relevant criteria (e.g., name, ID number, telephone number, etc.). For example, a filing cabinet containing HR records arranged in alphabetical order of employee names would be a relevant filing system. An unstructured box of hard copy case files arranged by year only (and not labelled by name or any other identifier specific to any individual) would not be a relevant filing system. Data contained in the documents within that box would fall outside the scope of EU data protection law, until such time as those data are structured or processed for another purpose.

 

   

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Complying with the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Legal basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Glossary

Our Global Data, Privacy & Cyber Security Practice

White & Case Technology Newsflash

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP

 

Top