What processing operations is the GDPR applied to?
The Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
What processing operations is the GDPR not applied to?
- The processing of personal data conducted in the course of activities which fall outside the scope of Union law.
- Processing conducted by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty of the European Union (TEU).
- The processing of personal data by a natural person in the course of a purely personal or household activity.
- Processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
What is the territorial scope of application?
In the European Union: this Regulation applies to organisations that process personal data (be it the controller of the data processor) in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Outside the European Union: this Regulation applies to the processing of personal data of data subjects who are in the Union, by a controller or data processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of the behaviour of these data subjects, as far as their behaviour takes place within the Union.