Chapter 3: Subject matter and scope – Unlocking the EU General Data Protection Regulation | White & Case LLP International Law Firm, Global Law Practice
EU General Data Protection Regulation (GDPR): EU's new data protection law

Chapter 3: Subject matter and scope – Unlocking the EU General Data Protection Regulation

Previous Chapter | Next Chapter | Index of Chapters

Overview

Why does this topic matter to organisations?

Understanding the subject matter and the scope of EU data protection law is fundamental to determining whether this law applies to an organisation's business activities. In essence, an organisation cannot do business confidently and efficiently unless it understands the legal requirements that affect its activities.

What types of organisations are most affected?

EU data protection law is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. Essentially the same requirements apply to small businesses and large multinationals, with very few exceptions. Consequently, organisations of all types are affected by EU data protection law.

What should organisations do to prepare?

Organisations should familiarise themselves with the key issues raised by the GDPR (which are summarised in Chapter 2), review their data processing activities and consider whether EU data protection law applies to those activities. This will enable organisations to work out how the GDPR affects their business operations, and to identify the issues that need to be addressed.

 

Icons are used below to clarify the impact of each GDPR change. These GDPR impact icons are explained here.

   
   

Detailed analysis

Issue

The Directive

The GDPR

Impact

blank

Aims and objectives of the law

EU data protection law aims to govern the processing of personal data and to ensure that such processing is fair and lawful. It is also designed to give effect to the fundamental right to privacy, enshrined in Art.7 of the CFR and Art. 8 of the ECHR.

blank

Rec.1-5; Art.1

The Directive is intended to:

  • protect the fundamental rights and freedoms of data subjects;
  • enable the free movement of personal data within the EU;
  • contribute to economic and social progress and trade; and
  • address the processing of personal data in the light of technological progress.

materially changes

Rec.2-7; Art.1

The GDPR is intended to:

  • protect the fundamental rights and freedoms of data subjects;
  • enable the free movement of personal data within the EU;
  • contribute to economic and social progress and trade;
  • address the processing of personal data in the light of technological progress; and
  • harmonise data protection laws across the EU.

positive

The aims of both the Directive and the GDPR are closely aligned. However, the Directive led to a "patchwork" of similar but not identical data protection laws across the EU. In theory, the more harmonised approach under the GDPR increases the ability of organisations to do business across the EU, with fewer inconsistent national compliance requirements. The GDPR will thereby provide greater legal certainty for organisations.

blank

Data to which the law applies

EU data protection law applies to personal data.

blank

Art.2(a)

The law protects the personal data of natural persons, but does not specifically exclude the personal data of deceased persons.

materially changes

Rec.27, 158, 160; Art.1(1)-(2), 4(1)

The law protects the personal data of natural persons, but does not apply to data of deceased persons. However, Member States may provide for rules regarding the processing of data of deceased persons.

neutral

The GDPR clarifies that EU data protection law does not apply to the data of deceased persons. This issue is not totally clear in the Directive and the Member States have addressed it differently. However, given the latitude granted to Member States under the GDPR, organisations may continue to experience some variations across the EU in their obligations regarding the personal data of deceased persons.

blank

Systems to which the law applies

EU data protection law only applies to personal data that are processed in the context of:

automated systems (e.g., any electronic database or computerised filing system); or

relevant filing systems.

blank

Rec.15, 27; Art.3

The Directive applies to the processing of personal data:

  • by automatic means (e.g., a computerised system or database); and
  • by other (non-automated) means that form part of a relevant filing system.

The protection of individuals should be technologically neutral and should not depend on the techniques used.

does not materially change

Rec.15; Art.2(1)

The Directive applies to the processing of personal data:

  • by automatic means (e.g., a computerised system or database); and
  • by other (non-automated) means that form part of a relevant filing system.

The protection of individuals should be technologically neutral and should not depend on the techniques used.

neutral

Both the Directive and the GDPR state that EU data protection law should be technologically neutral.

blank

Persons to whom the law applies

EU data protection law applies across all sectors to all organisations that are subject to the law.

blank

Rec.2; Art.1, 2(d)

The Directive applies to natural and legal persons, public authorities, agencies or any other bodies which process personal data.

does not materially change

Rec.1, 27; Art.4(7)

The GDPR applies to natural and legal persons, public authorities, agencies and other bodies which process personal data.

neutral

The GDPR applies to the same persons and entities as the Directive (although it should be noted that processors have specific compliance obligations under the GDPR—see Chapter 11).

blank

Exclusions and exemptions

EU data protection law explicitly excludes and exempts certain activities from its scope.

blank

Rec.13, 16; Art.3(2)

The following processing is outside the scope of the Directive:

  • any activity outside the scope of EU law (e.g., activities of a Member State in relation to national criminal law);
  • any activity performed by a Member State for purposes such as ensuring national security or protecting economic or financial interests; and
  • any activity performed by a natural person in the course of a purely personal or household activity.

materially changes

Rec.16-19; Art.2(2)-(3)

The following processing is outside the scope of the GDPR:

  • any activity outside the scope of EU law (e.g., activities of a Member State in relation to national criminal law);
  • any activity performed by Member States when carrying out activities in relation to the common foreign and security policy of the EU;
  • any activity performed by a natural person in the course of a purely personal or household activity;
  • any processing by the EU itself; and
  • any activities performed by national authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, or performance of judicial functions.

neutral

The Directive and the GDPR exclude a number of activities that, while they constitute the processing of personal data, are outside the scope of EU data protection law (e.g., because they fall outside the legislative competence of the EU). These activities may still be governed by differing national laws. The GDPR makes one material change, which is that processing performed by national police forces and courts (for certain functions) will not be subject to the GDPR, and will instead be subject to a separate EU Directive on policing and criminal justice. It should also be noted that the UK, Ireland and Denmark have an opt-out from that Directive, which may result in further inconsistent requirements across those Member States.

 

Further analysis

Commentary: New focus on harmonisation

Many of the underlying principles of the Directive and the GDPR are essentially the same. However, the GDPR places significant emphasis on increasing harmonisation across the EU. This approach is intended to facilitate the free flow of personal data in the digital single market and reduce the administrative burden on organisations that currently face inconsistencies in their data protection compliance obligations from one Member State to the next.

Case law: The "household purposes" exemption

As clarified by the CJEU in Ryneš (Case C-212/13), the "household purposes" exemption is strictly limited to purely personal activities (e.g., personal correspondence or personal use of social networking services). Activities that are partly personal and partly professional (e.g., sending correspondence that includes both social content and business-related content) do not benefit from this exemption.

For the avoidance of doubt, organisations that provide services to individuals for such purposes (e.g., social network providers) do not benefit from this exemption.

Example: Relevant filing systems

Q. The Directive and the GDPR only apply to personal data within automated systems (e.g., computerised systems and databases) and, for hard-copy documents, "relevant filing systems". What is a relevant filing system?

A. As set out in the Glossary, a "relevant filing system" is any structured set of personal data that can be searched or accessed by reference to relevant criteria (e.g., name, ID number, telephone number, etc.). For example, a filing cabinet containing HR records arranged in alphabetical order of employee names would be a relevant filing system. An unstructured box of hard copy case files arranged by year only (and not labelled by name or any other identifier specific to any individual) would not be a relevant filing system. Data contained in the documents within that box would fall outside the scope of EU data protection law, until such time as those data are structured or processed for another purpose.

 

NEXT CHAPTER
Chapter 4: Territorial application

 

Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law

Foreword

Chapter 1: Introduction

Chapter 2: Preparing for the GDPR

Chapter 3: Subject matter and scope

Chapter 4: Territorial application

Chapter 5: Key definitions

Chapter 6: Data Protection Principles

Chapter 7: Lawful basis for processing

Chapter 8: Consent

Chapter 9: Rights of data subjects

Chapter 10: Obligations of controllers

Chapter 11: Obligations of processors

Chapter 12: Impact Assessments, DPOs and Codes of Conduct

Chapter 13: Cross-Border Data Transfers

Chapter 14: Data Protection Authorities

Chapter 15: Cooperation and consistency

Chapter 16: Remedies and sanctions

Chapter 17: Issues subject to national law

Chapter 18: Relationships with other laws

Chapter 19: Transitional provisions

Chapter 20: Glossary

Our Global Data, Privacy & Cyber Security Practice

 

If you would like to request a hard copy of this Handbook, please do so here.

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP