Chapter 3: Subject matter and scope – Unlocking the EU General Data Protection Regulation
9 min read
Previous Chapter | Next Chapter | Index of Chapters
Why does this topic matter to organisations?
Understanding the subject matter and the scope of EU data protection law is fundamental to determining whether this law applies to an organisation’s business activities. In essence, an organisation cannot do business confidently and efficiently unless it understands the legal requirements that affect its activities.
What types of organisations are most affected?
EU data protection law is not sector-specific, unlike privacy laws in other parts of the world (notably the US and Canada). It applies in all contexts and across all sectors. Essentially the same requirements apply to small businesses and large multinationals, with very few exceptions. Consequently, organisations of all types are affected by EU data protection law.
What should organisations do to comply?
Organisations should familiarise themselves with the key issues raised by the GDPR (which are summarised in Chapter 2), review their data processing activities and consider whether EU data protection law applies to those activities. This will enable organisations to work out how the GDPR affects their business operations, and to identify the issues that need to be addressed.
Icons to convey information quickly
The following icons are used in the table, to clarify the impact of each change:
Under the GDPR, the position on this issue has materially changed (e.g., the GDPR has introduced a new obligation that did not previously exist). |
Under the GDPR, the position on this issue has not materially changed (e.g., although the wording may be different in the GDPR, the nature of the relevant obligation is unchanged). |
The impact of the GDPR on this issue is likely positive for most organisations (e.g., because the GDPR provides certainty in relation to a previously unclear issue). |
The impact of the GDPR on this issue is likely neutral for most organisations (e.g., because the requirements under the GDPR and the Directive are essentially the same). |
The impact of the GDPR on this issue is likely negative for most organisations (e.g., because the GDPR introduced a new obligation on organisations). |
The impact of the GDPR on this issue is unknown at this stage (e.g., because the impact on organisations is dependent upon secondary guidance that has not yet been written). |
Issue | The Directive | The GDPR | Impact |
Aims and objectives of the law EU data protection law aims to govern the processing of personal data and to ensure that such processing is fair and lawful. It is also designed to give effect to the fundamental right to privacy, enshrined in Art.7 of the CFR and Art. 8 of the ECHR. |
Rec.1-5; Art.1 The Directive intended to:
|
Rec.2-7; Art.1 The GDPR is intended to:
|
The aims of both the Directive and the GDPR are closely aligned. However, the Directive led to a “patchwork” of similar but not identical data protection laws across the EU. In theory, the more harmonised approach under the GDPR increases the ability of organisations to do business across the EU, with fewer inconsistent national compliance requirements. The GDPR thereby provides greater legal certainty for organisations. |
Data to which the law applies EU data protection law applies to personal data. |
Art.2(a) The Directive protected the personal data of natural persons, but did not specifically exclude the personal data of deceased persons. |
Rec.27, 158, 160; Art.1(1)‑(2), 4(1) The law protects the personal data of natural persons, but does not apply to data of deceased persons. However, Member States may provide for rules regarding the processing of data of deceased persons. |
The GDPR clarifies that EU data protection law does not apply to the data of deceased persons. This issue is not totally clear in the Directive and the Member States have addressed it differently. However, given the latitude granted to Member States under the GDPR, organisations may continue to experience some variations across the EU in their obligations regarding the personal data of deceased persons. |
Systems to which the law applies EU data protection law only applies to personal data that are processed in the context of:
|
Rec.15, 27; Art.3 The Directive applied to the processing of personal data:
The protection of individuals should be technologically neutral and should not depend on the techniques used. |
Rec.15; Art.2(1) The GDPR applies to the processing of personal data:
The protection of individuals should be technologically neutral and should not depend on the techniques used. |
Both the Directive and the GDPR state that EU data protection law should be technologically neutral. |
Persons to whom the law applies EU data protection law applies across all sectors to all organisations that are subject to the law. |
Rec.2; Art.1, 2(d) The Directive applied to natural and legal persons, public authorities, agencies or any other bodies processing personal data. |
Rec.1, 27; Art.4(7) The GDPR applies to natural and legal persons, public authorities, agencies and other bodies which process personal data. |
The GDPR applies to the same persons and entities as the Directive (although it should be noted that processors have specific compliance obligations under the GDPR—see Chapter 11). |
Exclusions and exemptions EU data protection law explicitly excludes and exempts certain activities from its scope. |
Rec.13, 16; Art.3(2) The following processing fell outside the scope of the Directive:
|
Rec.16-19; Art.2(2)-(3) The following processing is outside the scope of the GDPR:
|
The Directive and the GDPR exclude a number of activities that, while they constitute the processing of personal data, are outside the scope of EU data protection law (e.g., because they fall outside the legislative competence of the EU). These activities may still be governed by differing national laws. The GDPR makes one material change, which is that processing performed by national police forces and courts (for certain functions) is not subject to the GDPR, and is instead subject to a separate EU Directive on policing and criminal justice. It should also be noted that the UK, Ireland and Denmark have an opt-out from that Directive, which may result in further inconsistent requirements across those Member States. |
Commentary: New focus on harmonisation
Many of the underlying principles of the Directive and the GDPR are essentially the same. However, the GDPR places significant emphasis on increasing harmonisation across the EU. The intention of this approach is to facilitate the free flow of personal data in the digital single market and reduce the administrative burden on organisations that have faced inconsistencies in their data protection compliance obligations from one Member State to the next.
Case law: The "household purposes" exemption
As clarified by the CJEU in Ryneš (Case C-212/13), the "household purposes" exemption is strictly limited to purely personal activities (e.g., personal correspondence or personal use of social networking services). Activities that are partly personal and partly professional (e.g., sending correspondence that includes both social content and business-related content) do not benefit from this exemption.
For the avoidance of doubt, organisations that provide services to individuals for such purposes (e.g., social network providers) do not benefit from this exemption.
Example: Relevant filing systems
Q. The GDPR (and, historically, the Directive) only applies to personal data within automated systems (e.g., computerised systems and databases) and, for hard-copy documents, "relevant filing systems". What is a relevant filing system?
A. As set out in the Glossary, a "relevant filing system" is any structured set of personal data that can be searched or accessed by reference to relevant criteria (e.g., name, ID number, telephone number, etc.). For example, a filing cabinet containing HR records arranged in alphabetical order of employee names would be a relevant filing system. An unstructured box of hard copy case files arranged by year only (and not labelled by name or any other identifier specific to any individual) would not be a relevant filing system. Data contained in the documents within that box would fall outside the scope of EU data protection law, until such time as those data are structured or processed for another purpose.
Unlocking the EU General Data Protection Regulation:
A practical handbook on the EU's new data protection law
Chapter 2: Complying with the GDPR
Chapter 3: Subject matter and scope
Chapter 4: Territorial application
Chapter 6: Data Protection Principles
Chapter 7: Legal basis for processing
Chapter 9: Rights of data subjects
Chapter 10: Obligations of controllers
Chapter 11: Obligations of processors
Chapter 12: Impact Assessments, DPOs and Codes of Conduct
Chapter 13: Cross-Border Data Transfers
Chapter 14: Data Protection Authorities
Chapter 15: Cooperation and consistency
Chapter 16: Remedies and sanctions
Chapter 17: Issues subject to national law
Chapter 18: Relationships with other laws
Our Global Data, Privacy & Cyber Security Practice
White & Case Technology Newsflash
If you would like to request a hard copy of this Handbook, please do so here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 – 2019 White & Case LLP