Editing Article 2 GDPR

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 280: Line 280:
 
The ePrivacy directive is ''lex specialis'' to the GDPR, as set out in [[Article 95 GDPR|Article 95]].
 
The ePrivacy directive is ''lex specialis'' to the GDPR, as set out in [[Article 95 GDPR|Article 95]].
  
===Material scope===
+
===(1) Material scope===
 
The material scope of the GDPR is wide and applies to the [[Article 4 GDPR#2|processing]] of [[Article 4 GDPR#1|personal data]] '''wholly''' or '''partly''' by automated means. In addition, it applies to non-automated processing of personal data if the personal data forms part of a [[Article 4 GDPR#6|filing system]], or is intended for this purpose.
 
The material scope of the GDPR is wide and applies to the [[Article 4 GDPR#2|processing]] of [[Article 4 GDPR#1|personal data]] '''wholly''' or '''partly''' by automated means. In addition, it applies to non-automated processing of personal data if the personal data forms part of a [[Article 4 GDPR#6|filing system]], or is intended for this purpose.
  
 
It is therefore irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data. If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
 
It is therefore irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data. If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
  
‘Filing system’ is defined in Article 4(6) and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in Article 2(c) DPD ''verbatim''.<ref name=":0">H. Kranenborg, Article 2. Material scope (in) ''The EU General Data Protection Regulation (GDPR). A Commentary'', ed. by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Assistant Editor Laura Drechsler, OUP 2020.</ref> The concept of a ‘filing system’ under the DPD has been addressed by the CJEU in ''Jehovan todistajat,''<ref name=":0" /> as well as by various Attorney General opinions.<ref>See AG Opinion in C-73/07 ''Sautmedia'', para. 34; AG Opinion in C-28/08 P ''Commission v Bavarian Lager'', paras. 117-128; AG Opinion in C-434/16 ''Nowak,'' para. 69; AG Opinion in Case C-25/17 ''Jehovan'' ''todistajat'', paras. 53-59.</ref>
+
''You can help us comment on what a filing system is!''
  
 
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous. The possibility of re-identification is normally considered high and personal data is also broadly defined. [[Article 4 GDPR#5|Pseudonymised data]] falls under the GDPR, however certain requirements are relaxed to incentivize processing of personal data in a way that is seen as more privacy friendly.
 
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous. The possibility of re-identification is normally considered high and personal data is also broadly defined. [[Article 4 GDPR#5|Pseudonymised data]] falls under the GDPR, however certain requirements are relaxed to incentivize processing of personal data in a way that is seen as more privacy friendly.
  
===Exceptions===
+
===(2) Exceptions===
 
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions found in Article 2(2)(a)-(d).  
 
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions found in Article 2(2)(a)-(d).  
  
Line 298: Line 298:
 
Title V of the TEU<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012M%2FTXT</ref> concerns the common foreign and security policy of the EU. While data protection rules apply, the GDPR does not. It follows from Article 16(2) TFEU that data protections laws concerning these issues must be pursuant to Article 39 TEU.
 
Title V of the TEU<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012M%2FTXT</ref> concerns the common foreign and security policy of the EU. While data protection rules apply, the GDPR does not. It follows from Article 16(2) TFEU that data protections laws concerning these issues must be pursuant to Article 39 TEU.
  
====(c) Processing by a natural person in the course of a purely personal or household activity====
+
====(c) By a natural person in the course of a purely personal or household activity====
Processing that falls under the exception of “household activities” are exempt from the GDPR. Only processing by data subjects themselves qualify for the household exemption.
+
Processing that falls under the exception of “household activities” are exempt from the GDPR. Only processing by the data subject themself qualifies for the household exemption.
  
 
The exemption follows the earlier Directive [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046 EC/95/46].  
 
The exemption follows the earlier Directive [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046 EC/95/46].  
Line 305: Line 305:
 
The decision in [[CJEU - C-212/13 - Rynes|C-212/13 - Ryneš]] indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
 
The decision in [[CJEU - C-212/13 - Rynes|C-212/13 - Ryneš]] indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
  
====(d) Processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (…)====
+
====(d) By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (…)====
 
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d), this does not mean that this area does not enjoy data protection. As seen in [[CJEU - C-293/12 - Digital Rights Ireland]] and later the [[CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige]], Primary Law still puts limitations on the use of personal data for these purposes.
 
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d), this does not mean that this area does not enjoy data protection. As seen in [[CJEU - C-293/12 - Digital Rights Ireland]] and later the [[CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige]], Primary Law still puts limitations on the use of personal data for these purposes.
  
 
More importantly, the enactment of [https://eur-lex.europa.eu/eli/dir/2016/680/oj Directive (EU) 2016/680] now regulates this area.
 
More importantly, the enactment of [https://eur-lex.europa.eu/eli/dir/2016/680/oj Directive (EU) 2016/680] now regulates this area.
  
===Union institutions===
+
====(3) Union institutions====
Where data is processed by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The EUDPR, which revises Regulation (EC) No. 45/2001 to align it with the GDPR, was adopted in October 2018. Chapter IX of the EUDPR outlines general rules on data protection applicable EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.
+
''You can help us fill this section!''
  
===Directive 2000/31/EC===
+
====(4) Without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive====
The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to15 of the e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they: merely transmit information, ‘cache’ information, or merely store information.
+
''You can help us fill this section!''
  
 
==Decisions==
 
==Decisions==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)