And did you realise that the GDPR rules are also applicable to organisations outside the EU?
The General Data Protection Regulation contains rules concerning the protection of natural persons when their personal data are processed and rules on the free movement of personal data, as stressed in Article 1(1) GDPR. Article 1(2) GDPR provides that the GDPR seeks to protect fundamental rights and freedoms of natural persons and, more specifically, their right to the protection of personal data. It means that, as such, the Regulation does not deal with the rights and freedoms of legal persons, such as companies.
One might be wondering to what types of processing of personal data the Regulation applies or, in other words, what its material scope is. The Regulation is applicable to the processing completely or partly by automated means, such as, for instance, carried out with the use of computers containing digital databases. In addition, the processing of personal data by any other means is also regulated by the GDPR when these data are included in a filing system or are intended to be used in such a filing system, as stated in Article 2(1) GDPR. This can be the case when personal data are manually processed and are contained or are to be contained in a filing system with structured sets of personal data that are accessible in accordance with certain criteria, such as manual files printed on paper.
There are also situations that are not covered by the GDPR and they are addressed in Article 2(2) GDPR. In the first place, this is the case when the processing is carried out in the course of activities to which European Union law does not apply, for example, those related to national security. Secondly, the GDPR is not applicable to the processing of personal data by EU Member States when it concerns the activities performed within the framework of the common foreign and security policy concerning, for instance, political cooperation, prevention of conflicts and humanitarian aid. Thirdly, the GDPR does not regulate the processing of personal data that natural persons carry out as part of purely personal or household activities, for example, correspondence and social networking. Finally, the Regulation does not apply to the processing by competent authorities, such as the police, in the context of criminal justice, which is governed by the new Police and Criminal Justice Data Protection Directive.
A few words should also be devoted to the territorial scope of the application of the GDPR. According to Article 3(1) GDPR, it is applicable to the processing of personal data by controllers and processors with an establishment in the European Union. In this regard, it does not matter whether the actual processing is carried out in the Union or outside.
Importantly, Article 3(2) GDPR states that, when controllers and processors are not established in the European Union but process personal data of individuals who are in the Union, the Regulation is applicable. Such processing activities must relate to the offering of goods or services for a payment or for free to these individuals or to the monitoring of the behaviour of these persons as long as this behaviour takes place in the European Union, as indicated in Article 3(2)(a) and (b) GDPR. Finally, the GDPR regulates the processing of personal data by controllers that are not established in the Union but somewhere else where laws of a EU Member State apply by virtue of public international law. This can be the case in diplomatic missions or consular posts of EU Member States.
-----
Territorial scope:
1st principles that everyone has the right to the protection of personal data concerning him or her regardless of where they are in the World.
Article 3 and Recital 4 refer to Data Subject >
Recital 14 says “whatever the nationality or residence of natural persons”
Recital 23 says : In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
GDPR Art. 3.1 "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a
controller or a processor in the Union, regardless of whether the processing takes place in the Union or not"
Note that neither "processing of personal data" or "personal data" are limited, meaning (ANY) processing of (ALL) personal data
Recital 22 - "Any processing of personal data in the context of the activities of an establishment of a controller or a processor
in the Union should be carried out in accordance with this Regulation..."
Here ANY has been made explicit and PERSONAL DATA is not limited.
We also need to remember that the GDPR was designed to give effect to the fundamental right of privacy enshrined in Art7 of the CFR
"Everyone has the right to respect for his or her private and family life, home and communications" (EVERYONE)
and Art 8.1 of the ECHR: ". Everyone has the right to respect for his private and family life, his home and his correspondence" (EVERYONE)
has examined when an activity (such as o ering goods and services) will be considered “directed to” EU Member States in a separate context (i.e. under the “Brussels 1” Regulation (44/2001/EC) governing “jurisdiction...in civil
and commercial matters”). Its comments are likely to aid interpretation under this similar aspect of the GDPR. In addition to the considerations mentioned above, the CJEU notes that an intention to target EU customers may be illustrated by: (1) “patent” evidence, such as the payment of money to a search engine to facilitate access by those within a Member State or where targeted Member States are designated by name; and (2) other factors – possibly in combination with each other – including the “international nature” of the relevant activity (e.g. certain tourist activities), mentions of telephone numbers with an international code, use of a top-level domain name other than that of the state in which the trader is established (such as .de or .eu), the description of “itineraries...from Member States to the place where the service is provided” and mentions of
an “international clientele composed of customers domiciled in various Member States”. This list is not exhaustive and the question should be determined on a case-by-case basis (Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Joined cases (C-585/08) and (C-144/09))
European Commission and Article 29 Working Party Urge Respect for International Law in Data Cases « Data Protection News. European Court of Justice ruling on Regulation (EC) No 44 2001. Material-and-territorial-scope. The GDPR’s Reach: Material and Territorial Scope Under Articles 2 and 3. GDPR Tracker - Personal data of deceased persons. The scope of the GDPR.