The scope of GDPR. Who should comply?
Does your company have to comply with the General Data Protection Regulation (GDPR)?
How must you work with personal data of EU clients?
How can you avoid a fine of up to € 20 million or up to 4% of the company’s annual global turnover for the previous financial year, whichever is greater?
In order to answer these questions, we will define the territorial and subject scope of the GDPR, and after that we will analyze the basic notions enshrined in the EU General Data Protection Regulation.
Territorial scope of GDPR
According to Article 3 of GDPR, it applies:
1. to the processing of personal data obtained in the course of the activities of the controller or processor registered in the EU, regardless of whether the processing takes place in the EU or not.
2. to the processing of personal data of those subjects (natural persons) who are located in the EU, by a controller or processor not registered in the EU, if the processing of data is related to:
a) sales or offers to sell goods or services to subjects located in the EU, regardless of whether payment for these goods or services is required from the subjects; or
b) monitoring of the behavior of the subjects, if this behavior occurs within the EU.
3.to the processing of personal data by a controller not established in the EU, but in a place where the legislation of the Member States is applied in accordance with public international law.
Subject Scope of the GDPR
According to Article 2 GDPR applies:
1. to the processing of personal data, which occurs partially or completely using automated means and to processing by non-automated means, if personal data is or will form part of the document registration system.
2. At the same time, GDPR does not apply to the processing of personal data:
a) in the course of activities that are not within the scope of EU law;
b) implemented by an EU Member State and subject to Chapter 2 of Title V of the DES;
c) performed by an individual exclusively in the course of personal activities or housekeeping;
d) carried out by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal acts, or enforcing criminal penalties, including for the protection and prevention of threats to public safety.
Processing of personal data. Meaning
This phrase is composed of two main parts, the definition of which is enshrined in Article 4 of the GDPR. According to this article, they mean the following.
“Personal data” means any information relating to an identified or identifiable natural person (“data subject / subject”);
In this case, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;;
If you find some similarities between the activities of Your company and information described above, then your next step should be harmonizing the company’s internal policies, as well as mechanisms for interacting with personal data.
In case you have any additional questions, don’t hesitate to contact us via chat for advice from our lawyers. Legarithm’s lawyers have significant experience in implementing GDPR compliance.