GDPR Docs

Article 2: Material scope

Under the General Data Protection Regulation (GDPR), Article 2 defines the material scope of the regulation. This key provision outlines the specific circumstances in which the GDPR applies to the processing of personal data. Understanding the material scope of the GDPR is essential for organizations to ensure compliance with data protection laws. In this article, we will delve into the details of Art. 2 GDPR and its implications for businesses handling personal data.

Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified directly or indirectly, by reference to an identifier such as a name, identification number, location data, or online identifier.

Processing: Any operation or set of operations performed on personal data, whether by automated means. This includes the collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction of personal data.

Data Subject: An identified or identifiable natural person whose personal data is processed by the controller.

Controller: The natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of personal data.

Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a person’s sex life or sexual orientation.

Geographic Applicability: Where Does Article 2 GDPR Apply?

Article 2 of the General Data Protection Regulation (GDPR) outlines the territorial scope of the regulation, specifying where it applies. The key points regarding its applicability are as follows:

  • Location of Data Subjects: GDPR applies to the processing of personal data of individuals located in the European Union (EU), regardless of the data controller’s location. This means that even if a business is based outside the EU, it must comply with GDPR if it processes data of EU residents.
  • Offering Goods or Services: The regulation also applies to organizations based outside the EU if they offer goods or services to individuals within the EU. This includes features such as websites, apps, or any form of commercial interaction that targets EU citizens.
  • Monitoring Behaviour: GDPR applies if a non-EU entity is monitoring the behaviour of individuals within the EU. This includes tracking online behaviour through cookies or similar technologies if the intent is to analyse or profile users within the EU.
  • Establishment Criterion: If an organization has an establishment in the EU (a branch, subsidiary, or other types of business presence), GDPR applies to all processing of personal data, regardless of whether the data processing relates to individuals located in the EU.

Types of Data Covered Under Article 2 GDPR

Article 2 of the General Data Protection Regulation (GDPR) outlines the scope of the regulation and establishes which types of data are covered. Here are the main types of data addressed under Article 2:

  • Personal Data: This includes any information relating to an identified or identifiable natural person. Examples are names, identification numbers, location data, email addresses, and online identifiers.
  • Data Processing Activities: The GDPR regulates how personal data should be processed, including collection, storage, and sharing, ensuring that individuals’ privacy is respected and protected.
  • Data Related to Legal Entities: While the GDPR primarily focuses on data related to individuals, it also encompasses data that indirectly relates to individuals affiliated with legal entities, where such data can identify individuals.

Exemptions and Limitations within the Material Scope

Article 2 of the General Data Protection Regulation (GDPR) outlines the material scope of the regulation, specifying which types of data processing activities are covered. However, there are certain exemptions and limitations within this scope.

  • Personal Data Exclusions: GDPR does not apply to data processing carried out by individuals for personal or household activities. This means that if data is processed in a purely private context, such as sharing photos with friends or family, the GDPR’s requirements do not apply.
  • Anonymized Data: The regulation excludes fully anonymized data, where individuals cannot be identified either directly or indirectly. Since anonymized data does not relate to an identifiable person, it falls outside the scope of GDPR.
  • Law Enforcement and National Security: Certain provisions of the GDPR do not apply to processing activities related to national security, law enforcement, or public security. Instead, these areas are governed by separate regulations and laws aimed at protecting public safety.
  • Employment Relationships: There are provisions within the GDPR that allow for different treatments of personal data when it comes to employment relationships. Certain employee data may be processed under the premise of fulfilling contractual obligations or complying with legal requirements.
  • Journalistic and Artistic Purposes: The GDPR recognizes that processing personal data for journalistic purposes, academic purposes, or artistic expression may be subject to exemptions to promote freedom of expression and information.
  • Historical, Statistical, or Research Purposes: The regulation allows for some flexibility when personal data is processed for historical, statistical, or research purposes while ensuring that the data is handled in a manner that respects the individuals’ rights.

In conclusion, Article 2 of the GDPR outlines the material scope of the regulation, establishing the criteria for its applicability. Understanding the material scope is crucial for ensuring compliance with the GDPR and protecting the rights of individuals regarding their personal data. By familiarizing yourself with Article 2 and its implications, you can better navigate the complex landscape of data protection laws.