Material Scope of the GDPR

Home | For Organisations | Material Scope of the GDPR

Material and Territorial Scope of GDPR

The GPDR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

In practice, this means that most everyday handling of personal data will fall within the material scope of the GDPR. However, article 2(2) of the GDPR sets forth certain specific exclusions. The Regulation does not apply to:

  • processing activities conducted outside the scope of Union law, including activities related to national security;
  • processing activities carried out by competent authorities for law enforcement purposes, which are regulated by Subsidiary Legislation 586.08;
  • processing activities carried out by EU institutions, bodies, offices and agencies, which are subject to Regulation (EU)  45/2001;
  • processing by natural persons in the course of purely personal or household exemption.

Examples of the household exemption include:

  • maintaining private correspondence or address books;  
  • personal use of social media within a private context;
  • operating a CCTV camera confined to the boundaries of one’s private property.

Territorial Scope of the GDPR

The GDPR applies to controllers and processors established in the Union, as well as to those established outside the Union where their activities target data subjects in the Union. This includes offering goods or services to data subjects in the Union, irrespective of whether payment is required, or monitoring their behaviour insofar as that behaviour takes place within the Union.

Factors indicating that a controller envisages offering goods or services to data subjects in the Union include the use of a language or currency generally used in the Member States, the possibility of ordering goods and services in that language, or references to customers or users located in the Union.

Controllers and processors which are not established in the Union, but whose processing activities fall within the territorial scope of the GDPR, are required to designate in writing a representative in the Union, unless the processing is occasional or the controller is a public authority or body.

Further guidance on the interpretation of the territorial scope of the GDPR is provided in the European Data Protection Board’s Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), which clarify the application of the “establishment” and the “targeting criteria”. 

wpChatIcon
wpChatIcon