GDPR and the legal context.
Subject matter and objectives of GDPR
- This Regulation lays down rules on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data.
- This regulation protects the fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.
- The free flow of personal data in the Union is neither restricted nor prohibited for reasons related to the protection of natural persons with regard to the processing of personal data.
Material scope of GDPR
- This Regulation shall apply to wholly or partly automated processing as well as to the processing of personal data contained in a filing system or intended to be contained in a filing system.
- This regulation does not apply to the processing of personal data:
(a) in the context of activities outside the scope of Union law;
(b) by Member States when carrying out activities within the scope of the EU;
(c) by a natural person in the exercise of a purely personal or domestic activity;
(d) by competent authorities for the purpose of preventing, investigating, detecting and prosecuting criminal offenses or executing penalties, including the protection from and prevention of threats to public safety
- The processing of personal data by Union institutions, bodies, offices and agencies is governed by Regulation (EC) No 45/2001. Regulation (EC) no. 45/2001 and other legal acts of the Union applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
- This Regulation is without prejudice to the application of Directive 2000/31/EC and, in particular, of the rules in Articles 12 to 15 of that Directive concerning the ancillary liability of service providers acting as intermediaries.
Territorial scope of GDPR legislation
- This Regulation shall apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union.
So as soon as an organization has a branch in the Union: the AVG applies. Regardless of whether processing takes place in the Union!
Example: Microsoft, Facebook have a European subsidiary so Paragraph 1 applies. Twitter and Google do not have this, hence member ?
- This Regulation applies to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union where the processing is related to:
(a) offering goods or services to such data subjects in the Union, regardless of whether a payment by the data subjects is required; or
(b) monitoring their conduct, to the extent such conduct takes place in the Union.
However, they must appoint a representative in the Union (Art 27)
- This Regulation shall apply to the processing of personal data by and controller not established in the Union, but in a place where, under public international law, Member State law applies.
Example: processing by consulates and other diplomatic establishments of Union member states, outside the Union