Part 1 of 2: Material Scope of the GDPR
You may be wondering what data processing activities are covered by the EU General Data Protection Regulation (“GDPR”), or phrased in GDPR-speak, “What is the material scope of the regulation?”
To answer that question, we need to start with Article 2(1) of the GDPR, which states that the GDPR applies to:
the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Decrypted, Article 2(1) means that the GDPR applies to basically anything done with or to data relating to a person who is either identified or capable of being identified that is either: (1) fully or partly automated; or (2) that is performed manually but is part of a filing system or intended to be part of an organized collection of data.
Broken down even further, for the GDPR to be applicable, the following conditions must be met:
- something is done with or to data;
- the data relates to a human; and
- the human is identified or capable of being identified;
and the thing that is done with or to the data is either:
- fully or partly automated; or
- that the data is or will be part of a filling system.
In order to understand how we got here from Article 2(1), we need to review and break down the definitions of several terms used in the GDPR, which we will look at next. It’s also important to note that while the GDPR has a broad scope, it does contain some exclusions. These exclusions, however, are largely irrelevant to commercial organizations that operate in the EU or have EU residents as customers. We’ll discuss more about the territorial aspects of the GDPR in our next post.
What Does Processing Mean Under the GDPR?
Processing is defined in the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
So basically, anything done with personal data by wholly or partly automated means is considered processing, as well as processing by manual means, if the personal data are intended to form part of a filing system.
What Does Personal Data Mean Under the GDPR?
“Personal data” is defined in the GDPR as “any information relating to an identified or identifiable natural person.”
What is an Identified or Identifiable Person Under the GDPR?
An identifiable natural person is, in turn, defined as “a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Therefore, any information relating to a person that is identified or capable of being identified by reference to one or more identifiers such as name, identification number, location, physical characteristics, etc., constitutes personal data.
What is Automated Versus Manual Means Under the GDPR?
Automated and manual means represent a spectrum, depending on the level of human involvement. Wholly automated means are those that lack human involvement, whereas party automated means involves some degree of human involvement and manual means only involve humans without any form of computer technology.
In other words, manual processing, i.e., hard copies containing personal data, constitutes data processing and will be covered under the GDPR if it constitutes part of a filing system.
What is a Filing System Under the GDPR?
A filing system is “any structured set of personal data which are accessible according to a specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.” This means that even hard copies of employee records organized by name (or any such specific criteria) will be considered a filing system, and hence governed by the GDPR.
As we have seen, the material scope of the GDPR is broad and covers basically any use of or thing done to data relating to people. In our next post we will discuss the territorial nature of the GDPR and how you can determine if your organization will be governed by the GDPR. To learn more about the GDPR and VeraSafe’s GDPR compliance solutions, contact one of VeraSafe’s privacy experts today for a free EU privacy consultation .