Article 2 GDPR: Difference between revisions
Line 205: | Line 205: | ||
==Commentary== | ==Commentary== | ||
Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the | Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exceptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR pursuant to Article 98 of the same Regulation. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR. | ||
===(1) Material Scope=== | ===(1) Material Scope=== | ||
The GDPR applies to the processing of personal data | The GDPR applies to the processing of personal data by automated means. The expression "automated means" is not defined in the GDPR but, according to the scholars, should be understood broadly and includes all procedures in which at least part of a data processing is carried out automatically using a given program without further human intervention. <ref>''Baker'' in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 2 (Beck 2021, 36th ed.) (accessed 3 September 2021).</ref> | ||
The data processing must be ''fully or partially'' automated. In any case, there is partial automation when an individual data processing operation is carried out partly manually and partly automatically. This is the case, for example, when personal data is entered manually into a digital database. In addition, partial automation can also be assumed if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a coherent processing process. <ref>''Baker'' in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 3 (Beck 2021, 36th ed.) (accessed 3 September 2021).</ref> | |||
In addition, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose.<ref>If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.</ref> The concept of "Filing system" is defined in [[Article 4 GDPR|Article 4(6)]] and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Article 2(c) Directive 95/46/EC] ''verbatim''.<ref name=":0">''Kranenborg'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).</ref> The concept of a ‘filing system’ under the Directive 95/46/EC has been addressed by the CJEU in ''Jehovan todistajat,''<ref>''Kranenborg'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).</ref> as well as by various Attorney General opinions.<ref>See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).</ref> | |||
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous | It is irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data. | ||
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous as the probability of re-identification is normally considered high. [[Article 4 GDPR#5|Pseudonymised data]] falls under the GDPR. | |||
===(2) Exceptions=== | ===(2) Exceptions=== |
Revision as of 13:50, 3 September 2021
Legal Text
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which from part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
- (a) in the course of an activity which falls outside the scope of Union law;
- (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- (c) by a natural person in the course of a purely personal or household activity;
- (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Relevant Recitals
Commentary
Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exceptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR pursuant to Article 98 of the same Regulation. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR.
(1) Material Scope
The GDPR applies to the processing of personal data by automated means. The expression "automated means" is not defined in the GDPR but, according to the scholars, should be understood broadly and includes all procedures in which at least part of a data processing is carried out automatically using a given program without further human intervention. [1]
The data processing must be fully or partially automated. In any case, there is partial automation when an individual data processing operation is carried out partly manually and partly automatically. This is the case, for example, when personal data is entered manually into a digital database. In addition, partial automation can also be assumed if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a coherent processing process. [2]
In addition, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose.[3] The concept of "Filing system" is defined in Article 4(6) and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in Article 2(c) Directive 95/46/EC verbatim.[4] The concept of a ‘filing system’ under the Directive 95/46/EC has been addressed by the CJEU in Jehovan todistajat,[5] as well as by various Attorney General opinions.[6]
It is irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data.
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous as the probability of re-identification is normally considered high. Pseudonymised data falls under the GDPR.
(2) Exceptions
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions named in Article 2(2)(a)-(d) GDPR.
(a) Activities which Fall Outside the Scope of Union law
The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.
(b) Activities which Fall Within the Scope of Chapter 2 of Title V of the TEU
Title V of the TEU concerns the common foreign and security policy of the EU. While data protection rules apply, the GDPR does not. It follows from Article 16(2) TFEU that data protections laws concerning these issues must be pursuant to Article 39 TEU.
(c) Processing by a Natural Person in the Course of Purely Personal or Household Activity
Processing that falls under the exception of “household activities” are exempt from the GDPR. Only processing by data subjects themselves qualify for the household exemption.
The exemption follows the earlier Directive EC/95/46.
The decision in C-212/13 - Ryneš indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
(d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d) GDPR, this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes.
More importantly, the enactment of Directive (EU) 2016/680 now regulates this area.
(3) Union Institutions
Where data is processed by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The EUDPR, which revises Regulation (EC) No. 45/2001 to align it with the GDPR, was adopted in October 2018. Chapter IX of the EUDPR outlines general rules on data protection applicable EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.
(4) Directive 2000/31/EC
The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to15 e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they merely transmit information, ‘cache’ information, or merely store information.
Decisions
→ You can find all related decisions in Category:Article 2 GDPR
References
- ↑ Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 2 (Beck 2021, 36th ed.) (accessed 3 September 2021).
- ↑ Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 3 (Beck 2021, 36th ed.) (accessed 3 September 2021).
- ↑ If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
- ↑ Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
- ↑ Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
- ↑ See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).