What is the scope of the GDPR ?
Turns out that it applies to more than the EU businesses.
One big question regarding the European Data Protection Regulation is about when and where it applies. This involves knowing what kind of processing activities are covered by the GDPR (i.e. its material scope), and what countries and companies are concerned by it (the territorial scope).
Luckily for us, it turns out that the regulation provides us with an article dedicated to its material scope. I’m usually not that fond of legalese walls in articles, but here it is in its whole glory:
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This Regulation does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
The TL;DR of this text is that if you process personal data for business purposes manually or in an automated manner (i.e. handling that CRM in a paper notebook won’t help), then you will need to comply with the GDPR. Unless you are doing so for a state, public body or to prevent threats and fight crime.
Technically speaking then, the Batman side of Wayne Enterprises shouldn’t be too bothered by the GDPR as they are involved in “the safeguarding against and the prevention of threats to public security.”
What about private personal data processing activities ?
If you need to process personal data in your personal life, for example to organize a surprise birthday party, it is obviously not subject to GDPR compliance. This regulation only applies to businesses.
Likewise, article 3 of the GDPR provides us with useful guidance regarding the regulation’s territorial reach:
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
The gist of this article is that the GDPR applies (obviously) to companies based in the EU and who process personal data related to EU residents. However, if you are based outside of the EU and still target EU residents, you will also be subject to the GDPR’s requirements.
Yep. If you’re an american e-commerce website that sells goods to France, Italy or any EU country of your choice, you’ll have to comply with the appropriate personal data regulation. Which, in this case, is the GDPR.
Likewise, even if your service is free of charge, but still involves the processing of EU residents’ personal data (to monitor their web browsing habits for example), well, you’ll need to do so in a compliant manner.
Whether or not your business is based in the EU, if you collect personal data related to EU residents and process it in one way or another, you’ll need to comply with the GDPR. Unless you’re a State/Public Authority. Or Batman.