Now that the GDPR has been in force for two years, many companies have started to deepen their knowledge in specific parts of the regulation. It can therefore be easy to forget some of the more basic but fundamental parts such as: is the GDPR applicable to this processing? We will therefor in this blog post give you a reminder of when the GDPR is applicable. Because believe it or not – the GDPR is not applicable to all personal data processing´s!
Published June 4th 2020
Two different aspects
The scope of the GDPR is usually divided in two parts: the material scope and the territorial (geographical) scope. For the GDPR to be applicable to a certain processing, the processing must fall within both the material and the geographical scope. In addition to this, there are certain exemptions when the GDPR is not applicable. If one or more exemptions are at hand, either all of the GDPR or certain articles of the GDPR are not applicable to the processing.
The material scope
Article 2 of the GDPR states that the GDPR applies to:
- Wholly automated processing,
- Partly automated processing and
- Processing by other than automated means, which form part of a filing system or are intended to form part of a filing system.
A processing can be partly automated If an organisation collects personal data manually to later enter the personal data into an automated filing system.
Processing by other than automated means relates to manual processing. Manual processing is when the personal data is written on paper. If a processing of personal data is in paper form, the personal data must form part of a filing system or be intended to form part of a filing system. For something to be a filing system in accordance with the GDPR, the filing system must be searchable according to specific criteria. When making the assessment whether it is a filing system, it should be taken into account if it is structured in such a way that information regarding a specific person easily can be found. As a general rule, you can bear in mind that there should be two separate search criteria. For example, if you collect personal data in the form of name and address regarding your members, you process personal data regarding your members, which are part of a filing system. The filing system in this example have two search criteria: name and address, and the GDPR most likely applies to the processing.
You can read more about who is protected by the GDPR here (in Swedish).
The geographical scope
Except for the material scope, the processing must be within the geographical scope of the GDPR.
Article 3 of the GDPR regulates the geographical scope. This article intends to determine whether the GDPR applies to a certain processing and not a certain legal or natural person.
Article 3 of the GDPR stipulates that the GDPR is applicable to:
1. Data controllers and data processors who are established in the EU.
An organization is considered to be established in the EU if there is a real and effective activity, even if it is minimal, if the activity is performed through a stable arrangement. The GDPR can also apply to a processing if it is conducted in connection with activities performed by an organization that is established in the EU. This means that it does not necessarily has to be the organization in question which process the personal data, as long as the processing is connected to an organization established in the EU. Furthermore, it is not relevant where the processing takes place. The relevant factor is that the other organization is established in the EU.
2. Data controllers and data processors who are not established in the EU, but who offers goods and services to data subjects in the EU or Data controllers and data processors who are not established in the EU, but who perform processing activities related to the monitoring of data subjects behaviour, if it takes place in the EU.
If the data controller or the data subject are not established in the EU, it does not necessarily mean that the GDPR is not applicable. It is enough that the data subject whose personal data is being processed is within the borders of the EU and that:
a) The data controller or processor offers goods and service to the data subject or
b) The data controller or processor monitor the data subject´s behaviour (within the EU).
In order for an organization to be considered to either “offer goods and services to data subjects in the EU” or “monitor data subjects within the EU”, the activity must be intentional. It is not enough if an organization temporarily or by mistake target people in the EU.
If a data controller or a processor is not established in the EU, but either offer goods and services or monitor people in the EU, the organization must appoint a representative within the EU.
To summarize, the GDPR is not applied to a processing of personal data if:
- It is a manual processing, where the personal data does not form part of a filing system or are intended to form part of a filing system.
- The processing is performed by an organization that is not established in the EU and does not offer goods and services to someone in the EU alternatively monitor people who are in the EU.
In addition to the above mentioned, there are certain exemptions when the GDPR is not applied to a processing of personal data. Some of these exemptions are described below.
Is there an exemption to the applicability of the GDPR?
Even if a certain processing falls within both the material and the geographical scope of the GDPR, there might be an exemption in which case the GDPR might not be applicable to the processing. In some cases, only certain articles of the GDPR are applied to the processing and in some cases, all of the GDPR is not applied to the processing.
One exemption is if a processing is performed by a natural person and the processing is of private nature or is connected to his or her household. If these circumstances are at hand, no part of the GDPR is applicable. This might be the most common exemption to the applicability of the GDPR. This exemption can be at hand if a parent takes a picture of his or her child and puts it on the fridge in the family´s house. Please note that the situation is different if the parent e.g. posts the picture on social media. You can read more about what to think about when you process personal data regarding children here (in Swedish).
Another exemption is if someone process personal data in connection with exercising their right to freedom of expression and information. This means that in Sweden, constitutional law is in priority to the GDPR. This is possible because in the GDPR, there is an article that gives the member states a possibility to, in national law, make an exemption for just this – the freedom of expression and information, which Sweden has chosen to do.
Not sure how to apply the GDPR?
If you have any questions regarding the GDPR, you are welcome to contact us at email@example.com or 046 – 273 17 17.
You can already now book a demo of GDPR Hero to receive information about how you can make GDPR-compliance easier. You can book a demo here.