Article 2 of the GDPR

Article 2 of the GDPR informs about the scope of the Regulation. Let us find out what the GDPR covers and what it excludes from its purview.

Article 2 of the GDPR states as follows: 

  1. “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
  2. This Regulation does not apply to the processing of personal data:
    1. in the course of an activity which falls outside the scope of Union law;
    2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
    3. by a natural person in the course of a purely personal or household activity;
    4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
  3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
  4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.”

We can break down the above article into two parts-inclusion and exclusion.

  1. Inclusion:

The following activities are covered by the GDPR:

  1. The processing of personal data of individuals irrespective of the mode of processing-whether automated or manual. Any data that shall be a part of a filing system shall be subject to the scrutiny of the GDPR.
  2. Processing of personal data by an establishment even if the processing does not take place in the European Union. 
  3. The data processors who are not situated in the Union but are targeting its members.
  4. The data processors that are not located in the EU but tracking the behaviour of individuals located in the EU by way of technology in order to ascertain their personal preferences.
  5. A data controller located in a consulate of a Member State.

B. Exclusion: 

The following activities are outside the scope of the GDPR:

  1. When the institutions, bodies or any other agencies associated with the European Union shall process the natural data, it shall be subject to the Regulation (EC) No 45/2001 of the European Parliament and of the Council. All other data protection acts shall be brought in sync with this particular Regulation to bring in uniformity across the European Union.
  2. Organizations with employees lesser than 250 people
  3. Processing of personal data of legal entities including the name and form of the legal person and their contact details.
  4. Processing of personal data by Member States when the activity related is to the common foreign and security policy of the European Union.
  5. Processing of personal data purely while carrying out a personal or household activity. The GDPR is only applicable when the processing occurs during a commercial activity. 
  6. Processing of personal data by authorities in order to detect, investigate, prevent a crime. 
  7. Processing of personal data by judicial authorities and courts upto a certain extent. GDPR should not hinder the independence of the judiciary.
  8. Liability rules of intermediary service providers which are governed by Directive 2000/31/EC of the European Parliament
  9. GDPR does not apply to anonymous information. It only relates to personal data of persons that can be identified
  10.  Personal data of deceased persons

Reference:

  1. https://gdpr.eu