Where does the GDPR apply? Which data processing operations are affected by the GDPR?
The GDPR is a legal text that can be difficult to understand if you are not familiar with the legal language or terms used. It is all the more complex because it is a single text intended for very heterogeneous organisations, working in very different sectors of activity and for very different purposes.
However, a good understanding of this regulation and its objectives is essential for a good interpretation of this text and in order to put in place the appropriate measures.
In this second blog post, we propose to take a closer look at Articles 2 and 3 of Chapter 1 of the GDPR concerning the material and territorial scope of this regulation.
If you have not yet read it, you can find here the first article of this series which aimed at popularising Article 1 of Chapter 1 of the GDPR: "Purpose and objectives".
The protection of personal data has become a major issue in our society, in particular due to the free circulation of these data due to globalisation (as we explained in the previous blog post).
In this article, let's go deeper into the subject of the material scope provided for in Article 2 of the GDPR, but also the territorial scope provided for in Article 3. It is important to understand the scope of the GDPR, whether territorial or material, in order to determine the precise scope of this protection of personal data as well as the obligations of the companies and organisations that will process this data.
Articles 2 and 3 are complementary and their main objectives are to strengthen the confidence of European citizens in the processing of their personal data and to promote the free flow of data within the European Union.
GDPR material scope of application
Before getting to the heart of the matter, I will explain in a few words what the material scope of the GDPR is. The material scope, simply explained, is "which data processing operations are covered by the GDPR" (and which are not).
Which data processing operations are covered by the GDPR?
Data processing is defined by the CNIL as "an operation, or set of operations, relating to personal data, whatever the process used". This therefore includes "the collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, disclosure by transmission or dissemination or otherwise making available, and matching" of data.
Understanding the definition of personal data processing is therefore an essential first step in determining whether or not the GDPR applies. If your organisation collects, stores, retains, etc. personal data, it is carrying out personal data processing which must therefore comply with the GDPR.
The material scope, as defined in Article 2, is broad. Indeed, it encompasses both "wholly or partly automated" data processing (which therefore includes the use of software or algorithms to carry out the processing) and "non-automated" or manual data processing (thus paper files are also concerned by the GDPR). Thus, the simple fact of collecting an email address, qualifying a prospect in a CRM database, etc. are all processing of personal data. There is therefore a good chance that your organisation is also processing personal data!
Technically, the GDPR applies to all processing of personal data, with some exceptions.
Exceptions to the application of the GDPR
The processing of personal data not covered by the GDPR is the processing of personal data carried out by natural persons in the context of an exclusively personal or domestic activity.
Example: you are writing a guest list for the organisation of a family event, a wedding or a christening.
Overall, all processing of personal data carried out in the context of a professional activity must comply with the GDPR.
The material scope of application: an initial response only
It is important to note that the mere application of the material scope is not a sufficient condition to be subject to the GDPR. Thus, you can perfectly well process personal data in the context of your professional activity and not be subject to the GDPR.
Indeed, a second cumulative condition must appear: the territorial scope.
The territorial scope of the GDPR
The territorial scope delimits the geographical area (and the population attached to it) concerned by the GDPR.
The territorial scope of the GDPR: only for European companies?
Article 3 provides that the territorial scope applies to all organisations that process personal data of EU residents, regardless of where the data processing takes place. Thus, an American company based in the United States is subject to the GDPR if its activity directly (or indirectly) targets European residents.
Thus, any organisation outside the European Union wishing to set up in Europe or sell to European citizens will have no choice but to comply with the GDPR if they wish to do so.
The GDPR is a European regulation, but it does not only apply to European companies or companies based in the European Union: it applies to all organisations that process the personal data of European citizens, wherever they are based in the world. Where an organisation's business involves processing the personal data of EU residents, then it is necessary to comply with the GDPR.
The GDPR: an obligation for subcontractors too
One of the particularities of the GDPR is that this regulation also applies to processors and not only to data controllers (personal data controllers). Indeed, some companies can subcontract certain data processing operations (subcontracting the collection, analysis, cross-referencing, storage of data, etc.).
Thus, whether you are directly responsible for data processing or whether you are a subcontractor (i.e. you carry out data processing on behalf of a third party), you are required to comply with the GDPR.
The GDPR and personal data protection: a European concern only?
Many still believe that the GDPR only concerns the European Union, yet it has become almost impossible to escape this legislation, particularly because of the globalisation of trade and activities, but also because of technological progress.
Indeed, an American company's website can perfectly well be visited from France: thus French (and therefore European) citizens are potentially concerned by the deposit of cookies, by the collection of personal information, etc.
In terms of personal data protection law, the GDPR is the strictest regulation in the world. While there are other data protection laws in the world, the GDPR remains the most protective regulation.
Given this, data transfers between the European Union and a non-EU country are very strictly regulated in order to protect the personal data of European citizens, even when they leave the EU.
But we will see this in more detail in a future article!
Thus, many non-EU countries are considering the creation of personal data protection legislation with a level of security at least equivalent or similar to that provided by GDPR, in order to be able to continue trading with EU countries.
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
Find out more about our outsourced timeshare DPO services!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts!
תגובות