Now when we are familiar with GDPR principles and Rights of data subjects it is time to move on and uncover the content and territorial reach of GDPR. We will explain what data, systems and persons are protected by GDPR and who is bound to do so.
GDPR applies to all contexts across all sectors. With very few exceptions, the same requirements apply to small businesses as well as large multinationals and affected are organizations of all types.
The first recitals and articles unveil key aims and objectives of the GDPR. It is intended to protect the fundamental rights and freedoms of data subjects in light of technical progress. GDPR takes into consideration the current state of protection of data processing which seems not to be sustainable under the older Directive. GDPR should enable the free movement of personal data within the EU and contribute to economic and social progress and trade. The result of GDPR should be the harmonization of data protection and the increase of organizations’ ability to do business across the EU. All kinds of controllers or processors are bound by the GDPR as it applies to natural and legal persons, public authorities, agencies and others who process personal data.
The law protects the personal data of all people from EU, except the data of deceased persons. The protection granted by GDPR applies to processing of personal data either by automatic means or by other means that form part of a relevant filing system, meaning that EU data protection law should be technologically neutral. A “relevant filing system” is any structured set of personal data that can be searched or accessed by reference to relevant criteria.
Example: A filing cabinet containing arranged HR records would be a relevant filing system. On contrary, an unstructured box of hard copy case files would not be considered as such system and would fall outside the scope of EU data protection law, until those data are structured or processed for another purpose.
Territorial scope: GDPR applies to processing of personal data according to the activities of an establishment of any organisation within the EU. An establishment means “effective and real exercise of activity through stable arrangements” while “the legal form of such arrangement is not the determining factor”. You can find more of judicial approach to the term “establishment” in the 2015 case of Weltimmo v NAIH (C-230/14). It sees establishment as a broad and flexible phrase. An organisation may be established where it exercises any real and effective activity – even a minimal one– through stable arrangements in the EU.
Personal scope: GDPR applies to processing of personal data of EU citizens not only by organisations within EU. The organizations can be established anywhere in the world, however if they process data of EU citizens, GDPR affects them too but specifically in connection with the EU citizens data only.
Example: A multinational corporation is headquartered in Qatar and operates in the oil industry. It has unified global database and a branch office within the EU with the access to the database. Is the corporation subject to GDPR? We must consider the term establishment, what means “effective and real exercise of activity through stable arrangements”. The corporation as a whole won’t be subject to the GDPR, but the transfer of EU employee data to the database will impose compliance obligation, and still only in respect of those data.
Even if an organisation is able to prove that it is not established within the EU, it will still be caught by GDRP if it processes personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or services” or “the monitoring of the behaviour” of data subjects. Court of Justice of the European Union recently developed such jurisprudence by finding that Google Inc. with EU based sales and advertising operations was established within the EU. (C-131/12).
Example: An international e-commerce reseller has its base in China and no operations in other countries. It sells goods on the Internet to users in their local languages and currencies. Although it has no subcontractors on the ground in the EU, the processing of the personal data of EU resident is obvious here. Therefore, the processing of personal data in the course of providing these services must be performed regarding to the GDPR provisions.
To sum up, GDPR protects data of all EU citizens in a technologically neutral way. It affects organizations established all around the world, if a part of its activity is exercised within the EU.
Stay tuned for the next article, if you wonder about a consent you may need to process personal data.