Overview

This article defines the scope of GDPR applicability, covering both automated and manual processing of personal data within filing systems. It excludes data processing activities related to activities outside the scope of EU law, security tasks of Member States, personal/household activities, and criminal justice processing.


Key Principles

  • Applicability: Covers both manual and automated personal data processing.

  • Exclusions: Does not apply to activities outside EU law, security-related tasks, or personal/household activities.

  • Processing within Filing Systems: Includes personal data processed within organized, structured filing systems (automated or manual).


Organizational Applicability

This article applies to all organizations that process personal data, provided the processing falls within the EU’s jurisdiction and is not related to excluded activities:

  • Organizations with automated/manual personal data processing.

  • Public and private sector entities (except for security and criminal justice exceptions).


Implementation Requirements

  • Data Processing Scope: Identify whether data processing is within the scope of GDPR (automated/manual).

  • Filing System Documentation: Maintain records of how personal data is processed in filing systems.

  • Exclusions Identification: Ensure processes are in line with exclusions (e.g., security tasks, personal activities).


Implementation Guidance

  1. Scope Determination: Review data processing activities to ensure they fall under GDPR’s material scope.

  2. Filing System Review: Document data processing activities within automated/manual filing systems.

  3. Exclusion Identification: Confirm that excluded activities (e.g., personal/household data processing, criminal justice processing) are not governed by GDPR.


Periodic Review

  • Frequency: Annually or when changes in processing activities occur.

  • Responsible Role: Data Protection Officer (DPO) or Compliance Team.

  • Outcome: Review and update processing documentation, ensuring compliance with exclusions and scope.


Non-Compliance Risks

  • Penalties: GDPR fines of up to €20 million or 4% of global turnover.

  • Operational Impact: Loss of legal protection for processing activities that fall under excluded categories.

  • Reputational Damage: Harm to organizational trust and credibility in the market.