Article 2 GDPR: Difference between revisions

From GDPRhub
m (→‎Commentary: corrected a typo)
(30 intermediate revisions by 7 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<center>'''Article 2 - Material scope'''</center><span id="1">1. This Regulation applies to the [[Article 4 GDPR#2|processing]] of [[Article 4 GDPR#2|personal data]] wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.</span>
<br /><center>'''Article 2 - Material scope'''</center>
 
<span id="1">1. This Regulation applies to the [[Article 4 GDPR#2|processing]] of [[Article 4 GDPR#2|personal data]] wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.</span>


<span id="2">2. This Regulation does not apply to the processing of personal data:</span>
<span id="2">2. This Regulation does not apply to the processing of personal data:</span>
Line 202: Line 204:


==Relevant Recitals==
==Relevant Recitals==
{{Recital/13 GDPR}}{{Recital/14 GDPR}}{{Recital/15 GDPR}}{{Recital/16 GDPR}}{{Recital/17 GDPR}}{{Recital/18 GDPR}}{{Recital/19 GDPR}}{{Recital/20 GDPR}}{{Recital/21 GDPR}}{{Recital/27 GDPR}}


<span id="r13">
==Commentary==
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exemptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR.  
<div>'''Recital 13''': Legal certainty for economic operators </div>
<div class="mw-collapsible-content">
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).
</div></div>
 
<span id="r14">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 14''': Only applicable to natural persons</div>
<div class="mw-collapsible-content">
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
</div></div>
 
<span id="r15">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 15''': Technology neutral </div>
<div class="mw-collapsible-content">
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.
</div></div>
 
<span id="r16">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 16''': Not applicable to activities outside Union law</div>
<div class="mw-collapsible-content">
This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
</div></div>
 
<span id="r17">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 17''': Regulation (EC) No 45/2001 applies to the processing of personal data by Union institutions, bodies and offices </div>
<div class="mw-collapsible-content">
Regulation (EC) No 45/2001 of the European Parliament and of the Council (6) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.
</div></div>
 
<span id="r18">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 18''': Not applicable to household activities</div>
<div class="mw-collapsible-content">
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
</div></div>


<span id="r19">
=== (1) Material Scope ===
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
The Regulation applies to any processing<ref>See, Article 4(2) of the Commentary.</ref> of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system.  
<div>'''Recital 19''': Not applicable to criminal prosecution</div>
<div class="mw-collapsible-content">
The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council (7). Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.


With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.
==== Automated means ====
</div></div>
The expression "automated means" is not defined in the GDPR. According to scholars, it should nonetheless be understood broadly as including all procedures in which at least part of the data processing is carried out automatically, using a given program, without further human intervention.<ref>''Bäcker,'' in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 2 (C.H. Beck 2021, 38th edition).</ref>


<span id="r20">
==== Wholly or Partly by Automated Means ====
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
The data processing must be ''fully'' or ''partially'' automated. A data processing activity is understood as partially automated when it is carried out partly manually and partly automatically. For example, this is the case when personal data is manually entered into a digital database, or if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a logical process.<ref>''Bäcker,'' in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 3 (C.H. Beck 2021, 38th edition).</ref>
<div>'''Recital 20''': Judiciary independence</div>
<div class="mw-collapsible-content">
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.
</div></div>


<span id="r21">
==== Part of a Filing System ====
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
Additionally, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose. In other words, if the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system. The concept of "filing system" is defined in [[Article 4 GDPR|Article 4(6)]] GDPR and consists of any structured set of personal data which are accessible according to specific criteria.  
<div>'''Recital 21''': Without prejudice to liability rules following Directive 2000/31/EC</div>
<div class="mw-collapsible-content">
This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council (8), in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.
</div></div>


<span id="r27">
The concept of a ‘filing system’ under the Directive 95/46/EC has been considered by the CJEU in ''Jehovah todistajat''. In this case the Court had to assess the legality of the Finnish Data Protection Authority prohibiting the Jehovah’s Witness Community from collecting or processing personal data in the course of their door-to-door preaching without adhering to the applicable data protection law.<ref>CJEU, Case C-25/17, ''Jehovan todistajat'', 10 July 2018, (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631 here]).</ref> The processing of the personal data was carried out otherwise than by automatic means, so the question arose as to whether the data processed formed part of or was intended to form part of a filing system. The Court accepted a broad definition of filing system by pointing out that the Directive (as the GDPR now)<ref>The GDPR definition restates the Article 2(c) Directive 95/46/EC definition of the notion ''verbatim''. ''Tosoni'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(6) GDPR, p. 140 (Oxford University Press 2020).</ref> does not put down any specific requirement in term of its structure or form.<ref>In particular, the Directive did not foresee that the “''the personal data at issue must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system''”. In that case, the records created by the Jehovah’s Community were collected as a memory aid and included name, surname and geographical position in order to facilitate the organisation’s subsequent visits.</ref> The Court concluded that the definition of “filing system” is fulfilled when “''data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods''”.<ref>CJEU, Case C-25/17, ''Jehovan todistajat'', 10 July 2018, margin number 62 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=747904 here]). Also see Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available [https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631 here]); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631 here]); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631 here]); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631 here]).</ref>
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div>'''Recital 27''': Not applicable to the personal data of deceased persons</div>
<div class="mw-collapsible-content">
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
</div></div>


==Commentary==
As the material scope of the GDPR concerns the processing of personal data, it does not regulate anonymised data. The question of whether data is “personal” or “anonymous” is a technical and factual one. However, there is a very high threshold for data to be considered anonymous, as the probability of re-identification is normally considered high. Finally, [[Article 4 GDPR|pseudonymised data]] falls under the scope of the GDPR.  
Article 2 sets out the material scope of the GDPR and is thus the basis for when the GDPR applies to a processing operation.


The ePrivacy directive is ''lex specialis'' to the GDPR, as set out in [[Article 95 GDPR|Article 95]].
=== (2) Exemptions ===
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exemptions named in Article 2(2)(a)-(d) GDPR.  


===(1) Material scope===
==== (a) Activities which Fall Outside the Scope of Union Law ====
The material scope of the GDPR is wide and applies to the [[Article 4 GDPR#2|processing]] of [[Article 4 GDPR#1|personal data]] '''wholly''' or '''partly''' by automated means. In addition, it applies to non-automated processing of personal data if the personal data forms part of a [[Article 4 GDPR#6|filing system]], or is intended for this purpose.
The first category of exemptions relates to processing for activities "''which [fall] outside the scope of Union law''".<ref>The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.</ref> This wording is not particularly helpful because it is not always clear what the "''scope of Union law''" is. However, possible problems of interpretation have a limited impact. One of the main competences of the European Union is to establish an internal market in which, among other things, the free flow of data is guaranteed. It follows that all data processing activities directly or indirectly related to this purpose are covered under Union law (and therefore excluded from this exemption). As such, processing activities carried out by individuals and companies will almost always be regulated by Union law (insofar as they are useful or instrumental to the internal market) and therefore by the GDPR. Under Article 4(2) TFEU “''national security remains the sole responsibility of the individual Member States''. Thus, all activities related to national security, such as data processing by intelligence services, are excluded from the scope of EU law. Recital 16 confirms this interpretation and adds that the following are also excluded from the scope of the Regulation “''the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union''” (see subsection (b) below).  


It is therefore irrelevant which form the personal data takes. Structured as well as unstructured data will fall under the material scope of the GDPR as long as it concerns personal data. If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
==== (b) EU Common Foreign and Security Policy ====
Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data carried out by the Member States when performing activities as part of the Union’s common foreign and security policy (see Chapter 2 of Title V of the TEU). More precisely, according to Article 39 TEU, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out such activities. These rules have not yet been adopted. However, it is worth recalling that despite Article 2 the GDPR being inapplicable in the above circumstances, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable.<ref>''Bäcker'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 11 (C.H. Beck 2020, 38th edition).</ref>


''You can help us comment on what a filing system is!''
==== (c) Processing by a Natural Person in the Course of Purely Personal or Household Activity ====
Article 2(2)(c) GDPR reaffirms the so-called “household exemption” which existed under Directive EC/95/46. According to this provision, the GDPR does not apply where processing is carried out by a natural person for purely personal or household activities.


As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous. The possibility of re-identification is normally considered high and personal data is also broadly defined. [[Article 4 GDPR#5|Pseudonymised data]] falls under the GDPR, however certain requirements are relaxed to incentivize processing of personal data in a way that is seen as more privacy friendly.
===== Natural person =====
In order for the exemption to apply, it is essential that the processing be performed by a “''natural person''”. Thus, processing by legal entities, whatever legal form they may have (including NGOs), is not covered by the exemption and remains subject to the GDPR.<ref>''Paal,'' in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (C.H. Beck 2021, 3<sup>rd</sup> edition).</ref>


===(2) Exceptions===
===== Purely Personal or Household Activities =====
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions found in Article 2(2)(a)-(d).  
The GDPR does not provide a specific definition of “''personal''” and “''household''” activities. However, different factors to distinguish the “private” from the “non-private” can be drawn out from the existing case-law.


====(a) Activities which falls outside the scope of Union law====
According to the ''Jehovah’s Witness'' case, these requirements must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. In that connection, “''an activity cannot be regarded as being purely personal or domestic where its purpose is to make the data collected accessible to an unrestricted number of people or where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner''”.<ref>CJEU, Case C-25/17, ''Jehovan todistajat'', 10 July 2018, margin number 42 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=203822&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=747904 here]).; in the same direction CJEU, Case C-73/07, ''Satakunnan Markkinapörssi and Satamedia,'' 16 December 2008, margin number 44 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=76075&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=757578 here]).</ref> According to ''Lindqvist'' in particular, the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exemption.<ref>CJEU, C-101/01, ''Lindqvist'', 6 November 2003, margin number 47 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=de&mode=lst&dir=&occ=first&part=1&cid=758205 here]).</ref> This interpretation was confirmed by the Court in ''Ryneš'', where it took a narrow view of the exemption. Indeed, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exemption insofar as it also recorded a public space.<ref>CJEU, Case C-212/13, ''Ryneš,'' margin numbers 31 and 33 (available [https://curia.europa.eu/juris/document/document.jsf?docid=160561&doclang=EN here]).</ref>
The competences of the Union are set out in EU treaties. In particular, TFEU<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E%2FTXT</ref> Title 1 sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.


====(b) Activities which fall within the scope of Chapter 2 of Title V of the TEU====
In practice, there seem to be three main criteria that can help in the assessment. First, one has to assess the spatial aspect of the processing. Activities that take place in a private space can be considered “personal”. Conversely, public places are excluded from the application of the household exemption. Second, the social aspect of the processing is relevant. One needs to investigate, on the one hand, the relationship between the natural person who carries out the processing and the data subjects and, on the other, the extent of the group of subjects who have access to the personal data. Third, one has to determine the purpose pursued by the controller. According to Recital 18, these activities must have no connection with anything 'professional' or 'economic'. Consequently, if the activities pursue such purposes, the exemption will not apply.
Title V of the TEU<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012M%2FTXT</ref> concerns the common foreign and security policy of the EU. While data protection rules apply, the GDPR does not. It follows from Article 16(2) TFEU that data protections laws concerning these issues must be pursuant to Article 39 TEU.


====(c) By a natural person in the course of a purely personal or household activity====
====== Social networks ======
Processing that falls under the exception of “household activities” are exempt from the GDPR.
Recital 18 provides some examples of exempted activities such as the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, the reference to social networks as a type of activity exempted from the GDPR seems to contrast with the case law of the CJEU.<ref>Especially, CJEU, C-101/01, ''Lindqvist'', 6 November 2003, margin number 47 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=48382&pageIndex=0&doclang=de&mode=lst&dir=&occ=first&part=1&cid=758205 here]).</ref> By applying the aforementioned criteria, scholars have convincingly argued that the number of potential recipients of personal data should be verified in order to apply the exemption. Interpreted in this way, the GDPR would not apply to processing operations concerning social network use when they involve a limited number of recipients or readers. Conversely, if the processing or message is available to an indeterminate number of people, the household exemption will not apply.<ref>''Bäcker'', in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin numbers 18-19 (C.H. Beck 2020, 38th edition).</ref>


The exemption follows from the earlier Directive [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046 EC/95/46].  
===== (d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties =====
Directive (EU) 2016/680 now regulates this area.  


The decision in [[CJEU - C-212/13 - Rynes|C-212/13 - Ryneš]] indicates that the CJEU takes a narrow view of the exemption to household activities. In the case, a camera system installed on a family home for the purposes of protecting the property was not considered as falling under the exception insofar as it also recorded a public space.
=== (3) Union Institutions ===
Where data is processed by EU institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (“EUDPR”) revises Regulation (EC) No. 45/2001 to align it with the GDPR. Chapter IX of the EUDPR outlines general rules on data protection applicable to EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.  


====(d) By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (…)====
=== (4) Directive 2000/31/EC ===
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d), this does not mean that this area does not enjoy data protection. As seen in [[CJEU - C-293/12 - Digital Rights Ireland]] and later the [[CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige]], Primary Law still puts limitations on the use of personal data for these purposes.
The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to 15 e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they merely transmit information, ‘cache’ information, or merely store information.


More importantly, the enactment of [https://eur-lex.europa.eu/eli/dir/2016/680/oj Directive (EU) 2016/680] now regulates this area.


====(3) Union institutions====
''You can help us fill this section!''


====(4) Without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive====
----[[Article 2 GDPR#%20msoanchor%201|[S1]]]Can be expanded
''You can help us fill this section!''


==Decisions==
==Decisions==

Revision as of 14:48, 2 July 2022

Article 2: Material scope
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 2 - Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

Relevant Recitals

Recital 13: Harmonisation of Protection and Advantages for Small and Medium-Sized Enterprises
In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

Recital 14: Not Applicable to Legal Persons
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

Recital 15: Technologically Neutral Protection
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

Recital 16: Not Applicable to National Security and Common Foreign and Security Policy Activities
This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

Recital 17: Adaptation of Regulation (EC) No 45/2001
Regulation (EC) No 45/2001 of the European Parliament and of the Council applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

Recital 18: Household Exception
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

Recital 19: Not Applicable to Criminal Prosecution Activities
The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation. With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

Recital 20: Respect to the Independence of the Judiciary
While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

Recital 21: Application without Prejudice to the Application of Directive 2000/31/EC
This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

Recital 27: Not Applicable to Deceased Persons
This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.

Commentary

Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exemptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR.

(1) Material Scope

The Regulation applies to any processing[1] of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system.

Automated means

The expression "automated means" is not defined in the GDPR. According to scholars, it should nonetheless be understood broadly as including all procedures in which at least part of the data processing is carried out automatically, using a given program, without further human intervention.[2]

Wholly or Partly by Automated Means

The data processing must be fully or partially automated. A data processing activity is understood as partially automated when it is carried out partly manually and partly automatically. For example, this is the case when personal data is manually entered into a digital database, or if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a logical process.[3]

Part of a Filing System

Additionally, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose. In other words, if the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system. The concept of "filing system" is defined in Article 4(6) GDPR and consists of any structured set of personal data which are accessible according to specific criteria.

The concept of a ‘filing system’ under the Directive 95/46/EC has been considered by the CJEU in Jehovah todistajat. In this case the Court had to assess the legality of the Finnish Data Protection Authority prohibiting the Jehovah’s Witness Community from collecting or processing personal data in the course of their door-to-door preaching without adhering to the applicable data protection law.[4] The processing of the personal data was carried out otherwise than by automatic means, so the question arose as to whether the data processed formed part of or was intended to form part of a filing system. The Court accepted a broad definition of filing system by pointing out that the Directive (as the GDPR now)[5] does not put down any specific requirement in term of its structure or form.[6] The Court concluded that the definition of “filing system” is fulfilled when “data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods”.[7]

As the material scope of the GDPR concerns the processing of personal data, it does not regulate anonymised data. The question of whether data is “personal” or “anonymous” is a technical and factual one. However, there is a very high threshold for data to be considered anonymous, as the probability of re-identification is normally considered high. Finally, pseudonymised data falls under the scope of the GDPR.

(2) Exemptions

If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exemptions named in Article 2(2)(a)-(d) GDPR.

(a) Activities which Fall Outside the Scope of Union Law

The first category of exemptions relates to processing for activities "which [fall] outside the scope of Union law".[8] This wording is not particularly helpful because it is not always clear what the "scope of Union law" is. However, possible problems of interpretation have a limited impact. One of the main competences of the European Union is to establish an internal market in which, among other things, the free flow of data is guaranteed. It follows that all data processing activities directly or indirectly related to this purpose are covered under Union law (and therefore excluded from this exemption). As such, processing activities carried out by individuals and companies will almost always be regulated by Union law (insofar as they are useful or instrumental to the internal market) and therefore by the GDPR. Under Article 4(2) TFEU “national security remains the sole responsibility of the individual Member States”. Thus, all activities related to national security, such as data processing by intelligence services, are excluded from the scope of EU law. Recital 16 confirms this interpretation and adds that the following are also excluded from the scope of the Regulation “the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union” (see subsection (b) below).

(b) EU Common Foreign and Security Policy

Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data carried out by the Member States when performing activities as part of the Union’s common foreign and security policy (see Chapter 2 of Title V of the TEU). More precisely, according to Article 39 TEU, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out such activities. These rules have not yet been adopted. However, it is worth recalling that despite Article 2 the GDPR being inapplicable in the above circumstances, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable.[9]

(c) Processing by a Natural Person in the Course of Purely Personal or Household Activity

Article 2(2)(c) GDPR reaffirms the so-called “household exemption” which existed under Directive EC/95/46. According to this provision, the GDPR does not apply where processing is carried out by a natural person for purely personal or household activities.

Natural person

In order for the exemption to apply, it is essential that the processing be performed by a “natural person”. Thus, processing by legal entities, whatever legal form they may have (including NGOs), is not covered by the exemption and remains subject to the GDPR.[10]

Purely Personal or Household Activities

The GDPR does not provide a specific definition of “personal” and “household” activities. However, different factors to distinguish the “private” from the “non-private” can be drawn out from the existing case-law.

According to the Jehovah’s Witness case, these requirements must be interpreted as covering only activities that are carried out in the context of the private or family life of individuals. In that connection, “an activity cannot be regarded as being purely personal or domestic where its purpose is to make the data collected accessible to an unrestricted number of people or where that activity extends, even partially, to a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner”.[11] According to Lindqvist in particular, the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exemption.[12] This interpretation was confirmed by the Court in Ryneš, where it took a narrow view of the exemption. Indeed, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exemption insofar as it also recorded a public space.[13]

In practice, there seem to be three main criteria that can help in the assessment. First, one has to assess the spatial aspect of the processing. Activities that take place in a private space can be considered “personal”. Conversely, public places are excluded from the application of the household exemption. Second, the social aspect of the processing is relevant. One needs to investigate, on the one hand, the relationship between the natural person who carries out the processing and the data subjects and, on the other, the extent of the group of subjects who have access to the personal data. Third, one has to determine the purpose pursued by the controller. According to Recital 18, these activities must have no connection with anything 'professional' or 'economic'. Consequently, if the activities pursue such purposes, the exemption will not apply.

Social networks

Recital 18 provides some examples of exempted activities such as the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, the reference to social networks as a type of activity exempted from the GDPR seems to contrast with the case law of the CJEU.[14] By applying the aforementioned criteria, scholars have convincingly argued that the number of potential recipients of personal data should be verified in order to apply the exemption. Interpreted in this way, the GDPR would not apply to processing operations concerning social network use when they involve a limited number of recipients or readers. Conversely, if the processing or message is available to an indeterminate number of people, the household exemption will not apply.[15]

(d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties

Directive (EU) 2016/680 now regulates this area.

(3) Union Institutions

Where data is processed by EU institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The Regulation (EU) 2018/1725 of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (“EUDPR”) revises Regulation (EC) No. 45/2001 to align it with the GDPR. Chapter IX of the EUDPR outlines general rules on data protection applicable to EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.

(4) Directive 2000/31/EC

The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to 15 e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they merely transmit information, ‘cache’ information, or merely store information.



[S1]Can be expanded

Decisions

→ You can find all related decisions in Category:Article 2 GDPR

References

  1. See, Article 4(2) of the Commentary.
  2. Bäcker, in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 2 (C.H. Beck 2021, 38th edition).
  3. Bäcker, in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 3 (C.H. Beck 2021, 38th edition).
  4. CJEU, Case C-25/17, Jehovan todistajat, 10 July 2018, (available here).
  5. The GDPR definition restates the Article 2(c) Directive 95/46/EC definition of the notion verbatim. Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(6) GDPR, p. 140 (Oxford University Press 2020).
  6. In particular, the Directive did not foresee that the “the personal data at issue must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system”. In that case, the records created by the Jehovah’s Community were collected as a memory aid and included name, surname and geographical position in order to facilitate the organisation’s subsequent visits.
  7. CJEU, Case C-25/17, Jehovan todistajat, 10 July 2018, margin number 62 (available here). Also see Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here).
  8. The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.
  9. Bäcker, in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin number 11 (C.H. Beck 2020, 38th edition).
  10. Paal, in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (C.H. Beck 2021, 3rd edition).
  11. CJEU, Case C-25/17, Jehovan todistajat, 10 July 2018, margin number 42 (available here).; in the same direction CJEU, Case C-73/07, Satakunnan Markkinapörssi and Satamedia, 16 December 2008, margin number 44 (available here).
  12. CJEU, C-101/01, Lindqvist, 6 November 2003, margin number 47 (available here).
  13. CJEU, Case C-212/13, Ryneš, margin numbers 31 and 33 (available here).
  14. Especially, CJEU, C-101/01, Lindqvist, 6 November 2003, margin number 47 (available here).
  15. Bäcker, in Wolff, Brink, BeckOK Datenschutzrecht, Article 2 GDPR, margin numbers 18-19 (C.H. Beck 2020, 38th edition).