Article 2 GDPR: Difference between revisions

Revision as of 12:49, 20 September 2021

← Article 2: Material scope →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 2 - Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which from part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

Relevant Recitals

Recital 13: Harmonisation of Protection and Advantages for Small and Medium-Sized Enterprises

In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

Recital 14: Not Applicable to Legal Persons

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Recital 15: Technologically Neutral Protection

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Recital 16: Not Applicable to National Security and Common Foreign and Security Policy Activities

This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

Recital 17: Adaptation of Regulation (EC) No 45/2001

Regulation (EC) No 45/2001 of the European Parliament and of the Council applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

Recital 18: Household Exception

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

Recital 19: Not Applicable to Criminal Prosecution Activities

The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation. With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

Recital 20: Respect to the Independence of the Judiciary

While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

Recital 21: Application without Prejudice to the Application of Directive 2000/31/EC

This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

Recital 27: Not Applicable to Deceased Persons

This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Commentary

Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exceptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR pursuant to Article 98 of the same Regulation. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR.

(1) Material Scope

The GDPR applies to the processing of personal data by automated means. The expression "automated means" is not defined in the GDPR but, according to the scholars, should be understood broadly and includes all procedures in which at least part of a data processing is carried out automatically using a given program without further human intervention. ^[1]

The data processing must be fully or partially automated. In any case, there is partial automation when an individual data processing operation is carried out partly manually and partly automatically. This is the case, for example, when personal data is entered manually into a digital database. In addition, partial automation can also be assumed if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a coherent processing process. ^[2]

In addition, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose.^[3] The concept of "Filing system" is defined in Article 4(6) and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in Article 2(c) Directive 95/46/EC verbatim.^[4] The concept of a ‘filing system’ under the Directive 95/46/EC has been addressed by the CJEU in Jehovan todistajat,^[5] as well as by various Attorney General opinions.^[6]

As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous as the probability of re-identification is normally considered high. Pseudonymised data falls under the GDPR.

(2) Exceptions

If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions named in Article 2(2)(a)-(d) GDPR.

(a) Activities which Fall Outside the Scope of Union Law

The first category of excluded processing relates to processing for activities "which falls outside the scope of Union law". ^[7]

The wording is not particularly helpful because it is not always simple to clarify what the "scope of Union law" is. In practice, however, the problems of interpretation seem to have a limited impact. One of the competences of the European Union is in fact to establish an internal market in which the free flow of data is guaranteed. It follows that all data processing activities directly or indirectly related to the functioning of the internal market will be considered included in the scope of Union law (and therefore excluded from this exception).

In this perspective, processing activities carried out by individuals and companies will almost always be included in the scope of Union law (in so far they are useful or instrumental to the internal market). The same can be said for activities carried out by public authorities as a consequence of the strong European competences in most states activities.

Consequently, the only case of non-application of EU law seems to be provided for in Article 4(2) TFEU, according to which “national security remains the sole responsibility of the individual Member States”. It follows that all activities related to national security, such as data processing by intelligence services, are excluded from the scope of EU law. Recital 16 confirms this interpretation and adds that the following are also excluded from the scope of the Regulation “the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union” (see letter (b) below).

(b) EU Common Foreign and Security Policy

Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data carried out by the Member States when performing activities in of Union’s common foreign and security policy (that is, the scope of Chapter 2 of Title V of the TEU).

Under Article 39 TEU the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out such activities. However, these rules have not yet been adopted.

However, it is worth recalling that although under Article 2 the GDPR is not applicable in the above circumstances, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable.^[8]

(c) Processing by a Natural Person in the Course of Purely Personal or Household Activity

Article 2(2)(c) GDPR confirms the so-called “household exception”, already existing under the earlier Directive EC/95/46. According to this provision, the GDPR does not apply where processing is carried out by a natural person for purely personal or household activities.

Natural person

In order for the exception to apply, it is essential that the processing be performed by a natural person. It follows that processing by legal entities, whatever legal form they may have, including NGOs, is not covered by the exception and therefore remains subject to the GDPR [Paal in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (Beck 2021, 3^rd ed.) (1 September 2021).].

Personal or household activities

The GDPR does not provide a specific definition of “personal” and “household” activities. In order to distinguish “private” from “non-private”, different criteria can be inferred from the existing case-law.

A first criterion focuses on the spatial aspect of the processing. Activities that take place on a private area can be considered “personal”. Conversely, public places are excluded from the application of the household exception.^[9] A second criterion centres on the social aspect of the processing. Instead seeks to investigate, on the one hand, the relationship between the natural person who carries out the processing and the data subjects and, on the other, the extent of the group of subjects who have access to the personal data. Finally, a third and last criterion is the purpose pursued. According to Recital 18 these activities must have no connection with anything 'professional' or 'economic'. Consequently, if the activities pursue such purposes, the exclusion clause will not apply.

Social networks

Recital 18 provides some examples of exempted activities such as the holding of addresses, or social networking and online activity undertaken within the context of such activities.

The reference to social networks as a type of activity exempted from the GDPR seems to be in contrast with the case law of the EU Court of Justice (in particular, Lindqvist) according to which the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exception. This interpretation seems confirmed by CJEU Ryneš where the Court takes a narrow view of the exemption. In that case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.

In order to provide organicity to the system, scholars have (in our view, convincingly) argued that the number of potential recipients of personal data should be verified in order to apply the exception. In this perspective, the Regulation would not apply to processing operations having a limited number of recipients. Conversely, if the processing or message is available to an indeterminate number of recipients, the household exception will not apply.^[10]

(d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties

While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d) GDPR, this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes. More importantly, the enactment of Directive (EU) 2016/680 now regulates this area.

(3) Union Institutions

Where data is processed by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The EUDPR, which revises Regulation (EC) No. 45/2001 to align it with the GDPR, was adopted in October 2018. Chapter IX of the EUDPR outlines general rules on data protection applicable EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.

(4) Directive 2000/31/EC

The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to15 e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they merely transmit information, ‘cache’ information, or merely store information.

Decisions

→ You can find all related decisions in Category:Article 2 GDPR

References

↑ Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 2 (Beck 2021, 36th ed.) (accessed 3 September 2021).
↑ Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 3 (Beck 2021, 36th ed.) (accessed 3 September 2021).
↑ If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
↑ Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
↑ Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
↑ See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).
↑ The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.
↑ In this sense, Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 11 (Beck 2020, 36th ed.) (accessed 7 September 2021)
↑ CJEU, 11 December 2014, František Ryneš, C-212/13
↑ Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 18-19 (Beck 2020, 36th ed.) (accessed 7 September 2021)

[1] Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 2 (Beck 2021, 36th ed.) (accessed 3 September 2021).

[2] Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 3 (Beck 2021, 36th ed.) (accessed 3 September 2021).

[3] If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.

[:0-4] Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).

[5] Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).

[6] See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).

[7] The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.

[8] In this sense, Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 11 (Beck 2020, 36th ed.) (accessed 7 September 2021)

[9] CJEU, 11 December 2014, František Ryneš, C-212/13

[10] Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 18-19 (Beck 2020, 36th ed.) (accessed 7 September 2021)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 213: / Line 213: @@
 In addition, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose.<ref>If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.</ref> The concept of "Filing system" is defined in [[Article 4 GDPR|Article 4(6)]] and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Article 2(c) Directive 95/46/EC] ''verbatim''.<ref name=":0">''Kranenborg'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).</ref> The concept of a ‘filing system’ under the Directive 95/46/EC has been addressed by the CJEU in ''Jehovan todistajat,''<ref>''Kranenborg'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).</ref> as well as by various Attorney General opinions.<ref>See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).</ref>
-It is irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data.
 As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous as the probability of re-identification is normally considered high. [[Article 4 GDPR#5|Pseudonymised data]] falls under the GDPR.
@@ Line 230: / Line 228: @@
 Consequently, the only case of non-application of EU law seems to be provided for in Article 4(2) TFEU, according to which “''national security remains the sole responsibility of the individual Member States''”. It follows that all activities related to national security, such as data processing by intelligence services, are excluded from the scope of EU law. Recital 16 confirms this interpretation and adds that the following are also excluded from the scope of the Regulation “''the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union''” (see letter (b) below).
 ====(b) EU Common Foreign and Security Policy====
-Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data in the context of the Union’s common foreign and security policy (that is, the scope of Chapter 2 of Title V of the TEU). This field is not entirely deregulated as under [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012M%2FTXT Article 39 TEU] the Council shall adopt rules on data protection in this fields (these rules have not yet been adopted). In any case, even when the exclusion applies, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable. <ref>In this sense, ''Baker'', in BeckOK DatenschutzR, Article 2 GDPR, margin number 11 (Beck 2020, 36th ed.) (accessed 7 September 2021).</ref>
+Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data carried out by the Member States when performing activities in of Union’s common foreign and security policy (that is, the scope of Chapter 2 of Title V of the TEU).
+Under Article 39 TEU the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out such activities. However, these rules have not yet been adopted.
+However, it is worth recalling that although under Article 2 the GDPR is not applicable in the above circumstances, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable.<ref>In this sense, ''Baker'', in BeckOK DatenschutzR, Article 2 GDPR, margin number 11 (Beck 2020, 36th ed.) (accessed 7 September 2021)</ref>
 ====(c) Processing by a Natural Person in the Course of Purely Personal or Household Activity====
-Processing that falls under the exception of “household activities” are exempt from the GDPR. Only processing by data subjects themselves qualify for the household exemption.
+Article 2(2)(c) GDPR confirms the so-called “household exception”, already existing under the earlier Directive EC/95/46. According to this provision, the GDPR does not apply where processing is carried out by a natural person for purely personal or household activities.
+===== Natural person =====
+In order for the exception to apply, it is essential that the processing be performed by a natural person. It follows that processing by legal entities, whatever legal form they may have, including NGOs, is not covered by the exception and therefore remains subject to the GDPR [''Paal'' in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (Beck 2021, 3<sup>rd</sup> ed.) (1 September 2021).].
+===== Personal or household activities =====
+The GDPR does not provide a specific definition of “personal” and “household” activities. In order to distinguish “private” from “non-private”, different criteria can be inferred from the existing case-law.
+A first criterion focuses on the spatial aspect of the processing. Activities that take place on a private area can be considered “personal”. Conversely, public places are excluded from the application of the household exception.<ref>CJEU, 11 December 2014, František Ryneš, C-212/13</ref> A second criterion centres on the social aspect of the processing. Instead seeks to investigate, on the one hand, the relationship between the natural person who carries out the processing and the data subjects and, on the other, the extent of the group of subjects who have access to the personal data. Finally, a third and last criterion is the purpose pursued. According to Recital 18 these activities must have no connection with anything 'professional' or 'economic'. Consequently, if the activities pursue such purposes, the exclusion clause will not apply.
+====== Social networks ======
+Recital 18 provides some examples of exempted activities such as the holding of addresses, or social networking and online activity undertaken within the context of such activities.
-The exemption follows the earlier Directive [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046 EC/95/46].
+The reference to social networks as a type of activity exempted from the GDPR seems to be in contrast with the case law of the EU Court of Justice (in particular, Lindqvist) according to which the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exception. This interpretation seems confirmed by CJEU Ryneš where the Court takes a narrow view of the exemption. In that case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
-The decision in [[CJEU - C‑212/13 - František Ryneš|C-212/13 - Ryneš]] indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
+In order to provide organicity to the system, scholars have (in our view, convincingly) argued that the number of potential recipients of personal data should be verified in order to apply the exception. In this perspective, the Regulation would not apply to processing operations having a limited number of recipients. Conversely, if the processing or message is available to an indeterminate number of recipients, the household exception will not apply.<ref>''Baker'', in BeckOK DatenschutzR, Article 2 GDPR, margin number 18-19 (Beck 2020, 36th ed.) (accessed 7 September 2021)</ref>
 ====(d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties====
-While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d) GDPR, this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes.
+While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d) GDPR, this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes. More importantly, the enactment of [https://eur-lex.europa.eu/eli/dir/2016/680/oj Directive (EU) 2016/680] now regulates this area.
-More importantly, the enactment of [https://eur-lex.europa.eu/eli/dir/2016/680/oj Directive (EU) 2016/680] now regulates this area.
 ===(3) Union Institutions===