Article 2 GDPR
|← Article 2: Material scope →|
Legal Text[edit | edit source]
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which from part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
- (a) in the course of an activity which falls outside the scope of Union law;
- (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- (c) by a natural person in the course of a purely personal or household activity;
- (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Relevant Recitals[edit | edit source]
Commentary[edit | edit source]
Article 2 GDPR sets out the material scope of the GDPR. Paragraph 1 clarifies that the Regulation applies to any processing of personal data by automated means or to the non-automated processing of personal data that is or is intended to be stored in a filing system. Paragraph 2 provides for exceptions that exclude the applicability of the GDPR, such as data processing relating to activities outside the scope of European law or relating to purely personal or domestic activities. Paragraph 3 confirms the validity of sector-specific data protection laws for the processing carried out by European institutions provided that these regulations are brought into compliance with the GDPR pursuant to Article 98 of the same Regulation. Finally, Paragraph 4 clarifies that the rules of Directive 2000/31/EC are not affected by the provisions of the GDPR.
(1) Material Scope[edit | edit source]
The GDPR applies to the processing of personal data by automated means. The expression "automated means" is not defined in the GDPR but, according to the scholars, should be understood broadly and includes all procedures in which at least part of a data processing is carried out automatically using a given program without further human intervention. 
The data processing must be fully or partially automated. In any case, there is partial automation when an individual data processing operation is carried out partly manually and partly automatically. This is the case, for example, when personal data is entered manually into a digital database. In addition, partial automation can also be assumed if several data processing operations, some of which are carried out manually and some of which are automated, are sufficiently closely linked in a coherent processing process. 
In addition, the GDPR applies to non-automated processing of personal data if the personal data forms part of a filing system, or is intended for this purpose. The concept of "Filing system" is defined in Article 4(6) and Recital 15 GDPR. The GDPR reproduces the definition of ‘filing system’ provided in Article 2(c) Directive 95/46/EC verbatim. The concept of a ‘filing system’ under the Directive 95/46/EC has been addressed by the CJEU in Jehovan todistajat, as well as by various Attorney General opinions.
As the material scope of the GDPR concerns the processing of personal data, anonymized data falls outside the GDPR. The question of whether data is “personal” or “anonymous” is a technical and factual question. There is, however, a very high barrier for data to be considered anonymous as the probability of re-identification is normally considered high. Pseudonymised data falls under the GDPR.
(2) Exceptions[edit | edit source]
If the elements in Article 2(1) are fulfilled, the GDPR applies unless the processing falls under one of the exceptions named in Article 2(2)(a)-(d) GDPR.
(a) Activities which Fall Outside the Scope of Union Law[edit | edit source]
The first category of excluded processing relates to processing for activities "which falls outside the scope of Union law". 
The wording is not particularly helpful because it is not always simple to clarify what the "scope of Union law" is. In practice, however, the problems of interpretation seem to have a limited impact. One of the competences of the European Union is in fact to establish an internal market in which the free flow of data is guaranteed. It follows that all data processing activities directly or indirectly related to the functioning of the internal market will be considered included in the scope of Union law (and therefore excluded from this exception).
In this perspective, processing activities carried out by individuals and companies will almost always be included in the scope of Union law (in so far they are useful or instrumental to the internal market). The same can be said for activities carried out by public authorities as a consequence of the strong European competences in most states activities.
Consequently, the only case of non-application of EU law seems to be provided for in Article 4(2) TFEU, according to which “national security remains the sole responsibility of the individual Member States”. It follows that all activities related to national security, such as data processing by intelligence services, are excluded from the scope of EU law. Recital 16 confirms this interpretation and adds that the following are also excluded from the scope of the Regulation “the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union” (see letter (b) below).
(b) EU Common Foreign and Security Policy[edit | edit source]
Article 2(2)(b) excludes the applicability of the GDPR for the processing of personal data carried out by the Member States when performing activities in of Union’s common foreign and security policy (that is, the scope of Chapter 2 of Title V of the TEU).
Under Article 39 TEU the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out such activities. However, these rules have not yet been adopted.
However, it is worth recalling that although under Article 2 the GDPR is not applicable in the above circumstances, Articles 7 (protection of family life) and 8 (data protection) of the EU Charter of Fundamental Rights remain applicable.
(c) Processing by a Natural Person in the Course of Purely Personal or Household Activity[edit | edit source]
Article 2(2)(c) GDPR confirms the so-called “household exception”, already existing under the earlier Directive EC/95/46. According to this provision, the GDPR does not apply where processing is carried out by a natural person for purely personal or household activities.
Natural person[edit | edit source]
In order for the exception to apply, it is essential that the processing be performed by a natural person. It follows that processing by legal entities, whatever legal form they may have, including NGOs, is not covered by the exception and therefore remains subject to the GDPR [Paal in Paal, Pauly, DS-GVO BDSG, Article 2 GDPR, margin number 14 (Beck 2021, 3rd ed.) (1 September 2021).].
Personal or household activities[edit | edit source]
The GDPR does not provide a specific definition of “personal” and “household” activities. In order to distinguish “private” from “non-private”, different criteria can be inferred from the existing case-law.
A first criterion focuses on the spatial aspect of the processing. Activities that take place on a private area can be considered “personal”. Conversely, public places are excluded from the application of the household exception. A second criterion centres on the social aspect of the processing. Instead seeks to investigate, on the one hand, the relationship between the natural person who carries out the processing and the data subjects and, on the other, the extent of the group of subjects who have access to the personal data. Finally, a third and last criterion is the purpose pursued. According to Recital 18 these activities must have no connection with anything 'professional' or 'economic'. Consequently, if the activities pursue such purposes, the exclusion clause will not apply.
Social networks[edit | edit source]
Recital 18 provides some examples of exempted activities such as the holding of addresses, or social networking and online activity undertaken within the context of such activities.
The reference to social networks as a type of activity exempted from the GDPR seems to be in contrast with the case law of the EU Court of Justice (in particular, Lindqvist) according to which the publication of personal data on a blogging site made available to an unlimited number of people would 'obviously' not be subject to the household exception. This interpretation seems confirmed by CJEU Ryneš where the Court takes a narrow view of the exemption. In that case, a camera system installed on a family home for the purposes of protecting the property was not considered to fall under the exception insofar as it also recorded a public space.
In order to provide organicity to the system, scholars have (in our view, convincingly) argued that the number of potential recipients of personal data should be verified in order to apply the exception. In this perspective, the Regulation would not apply to processing operations having a limited number of recipients. Conversely, if the processing or message is available to an indeterminate number of recipients, the household exception will not apply.
(d) Processing by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties[edit | edit source]
While the GDPR does not apply to the processing operations mentioned in Article 2(2)(d) GDPR, this does not mean that this area does not enjoy data protection. As seen in CJEU - C-293/12 - Digital Rights Ireland and later the CJEU - Joined Cases of C-203/15 and C-698/15 - Tele2 Sverige, Primary Law still puts limitations on the use of personal data for these purposes. More importantly, the enactment of Directive (EU) 2016/680 now regulates this area.
(3) Union Institutions[edit | edit source]
Where data is processed by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. The EUDPR, which revises Regulation (EC) No. 45/2001 to align it with the GDPR, was adopted in October 2018. Chapter IX of the EUDPR outlines general rules on data protection applicable EU law enforcement activities within the scope of Chapter 2 of Title V of the TFEU.
(4) Directive 2000/31/EC[edit | edit source]
The GDPR applies without prejudice to the application of Directive 2000/31/EC (‘the e-Commerce Directive’). Specific reference is made to Articles 12 to15 e-Commerce Directive, which concern the liability of intermediary service providers ("ISP") in situations where they merely transmit information, ‘cache’ information, or merely store information.
Decisions[edit | edit source]
→ You can find all related decisions in Category:Article 2 GDPR
References[edit | edit source]
- Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 2 (Beck 2021, 36th ed.) (accessed 3 September 2021).
- Baker in Wolff, Brink, BeckOK DatenschutzR, Article 2 GDPR, margin number 3 (Beck 2021, 36th ed.) (accessed 3 September 2021).
- If the data is intended as part of a filing system, but is not processed by automated means, the collection of such data will constitute a processing operation even before it is organized into a filing system.
- Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
- Kranenborg, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 2 GDPR, p. 67 (Oxford University Press 2020).
- See Opinion of Advocate General Kokott, 8 May 2008, Sautmedia, C‑73/07, margin number 34 (available here https://curia.europa.eu/juris/document/document.jsf;jsessionid=F087BE2C7DF508FA67FED22A4E923E46?text=&docid=67007&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Sharpston, 15 October 2009, Commission v Bavarian Lager, C-28/08 P, margin numbers 117-128 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=72502&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Kokott, 20 July 2017, Nowak, C-434/16, margin number 69 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=193042&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631); Opinion of Advocate General Mengozzi, 1 February 2018, Jehovan todistajat, C-25/17, margin numbers 53-59 (available here https://curia.europa.eu/juris/document/document.jsf?text=&docid=198949&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=70631).
- The competences of the Union are set out in the EU treaties. In particular, Title 1 of the TFEU sets out the exclusive competence of the Union. While the competences of the EU are carefully shared between Member States and the EU, the GDPR simply differentiates between non-Union law and Union law.
- In this sense, Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 11 (Beck 2020, 36th ed.) (accessed 7 September 2021)
- CJEU, 11 December 2014, František Ryneš, C-212/13
- Baker, in BeckOK DatenschutzR, Article 2 GDPR, margin number 18-19 (Beck 2020, 36th ed.) (accessed 7 September 2021)