Subject and objectives of GDPR
1.This Regulation lays down rules on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data.
2.This Regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3.The free movement of personal data within the Union shall not be restricted or prohibited for reasons related to the protection of natural persons with regard to the processing of personal data.
Material scope of GDPR
1. This Regulation applies to fully or partially automated processing, as well as to the processing of personal data that are included in a file or that are intended to be included therein.
2.This Regulation does not apply to the processing of personal data:
(a) in the context of activities falling outside the scope of Union law;
(b) by Member States when carrying out activities falling within the scope of the EU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by the competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, including protection against and prevention of threats to public security
3.Regulation (EC) No 45/2001 shall apply to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) no. 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4.This Regulation is without prejudice to the application of Directive 2000/31/EC, and in particular of the rules in Articles 12 to 15 of that Directive concerning the liability of intermediary service providers.
Territorial scope of the GDPR legislation
1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union.
So as soon as an organization has an establishment in the Union: the GDPR applies. Regardless of whether processing takes place in the Union!
Example: Microsoft, Facebook have a European subsidiary, so paragraph 1 applies. Twitter and Google don’t have this, hence a member ?
2. This Regulation applies to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union, where the processing is related to:
(a) offering goods or services to those data subjects in the Union, whether or not payment is required by the data subjects; or
(b) monitoring their behavior, to the extent that such behavior takes place in the Union.
They must, however, designate a representative in the Union (Art 27)
3.This Regulation applies to the processing of personal data by a controller who is not established in the Union, but in a place where Member State law is applicable under public international law.
Example: processing operations by consulates and other diplomatic establishments of Member States of the Union, outside the Union