Article 2 GDPR
Legal Text
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
- (a) in the course of an activity which falls outside the scope of Union law;
- (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- (c) by a natural person in the course of a purely personal or household activity;
- (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Relevant Recitals
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
Regulation (EC) No 45/2001 of the European Parliament and of the Council (6) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council (7). Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.
With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council (8), in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
Commentary
Article 2 sets out the material scope of the GDPR and is thus the basis for when the GDPR applies to a processing operation.
The ePrivacy directive is lex specialis to the GDPR, as set out in Article 95.
(1) Material scope
The material scope of the GDPR is wide and applies to the processing of personal data wholly or partly by automated means. In addition, it applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose.
It is therefore irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data. If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
You can help us comment on what a filing system is!
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous. The possibility of re-identification is normally considered high and personal data is also broadly defined. Pseudonymised data falls under the GDPR, however certain requirements are relaxed to incentivize processing of personal data in a way that is seen as more privacy friendly.
(2) Exceptions
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions found in Article 2(2)(a)-(d).
(a) Activities which falls outside the scope of Union law
The competences of the Union are set out in EU treaties. In particular, TFEU Title 1 sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.
(b) Activities which fall within the scope of Chapter 2 of Title V of the TEU
Title V of the TEU concerns the common foreign and security policy of the EU. While data protection rules apply, the GDPR does not. It follows from Article 16(2) TFEU that data protections laws concerning these issues must be pursuant to Article 39 TEU.
(c) By a natural person in the course of a purely personal or household activity
Processing that falls under the exception of “household activities” are exempt from the GDPR.
The exemption follows from the earlier Directive EC/95/46.
The decision in C-212/13 - Ryneš indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered as falling under the exception insofar as it also recorded a public space.
(d) By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (…)
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d), this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes.
More importantly, the enactment of Directive (EU) 2016/680 now regulates this area.
(3) Union institutions
You can help us fill this section!
(4) Without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive
You can help us fill this section!
Decisions
→ You can find all related decisions in Category:Article 2 GDPR