GDPR Scope

What sort of data processing does the GDPR apply to?

The GDPR applies to two kinds of personal data processing:

  • Processing carried out wholly or partly by automated means; and
  • Processing that forms part of, or is intended to be part of, a physical or electronic filing system.

‘Processing’ includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, disclosure, etc. of personal data.

Find out more about GDPR compliance

How does the GDPR define personal data?

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”

An identifiable natural person is anyone “who can be identified, directly or indirectly”. In particular, this refers to identification by reference to an identifier such as:

  • A name;
  • An identification number;
  • Location data;
  • An online identifier; or
  • One or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Find out more about GDPR compliance

How does the GDPR affect businesses outside the EU?

Since Brexit, there are two versions of the GDPR: the EU GDPR and the UK GDPR. The UK GDPR applies to controllers and processors outside the UK if their processing activities relate to:

  • Offering goods or services to UK residents; or
  • Monitoring the behaviour of UK residents.

The EU GDPR applies to non-EU controllers and processors if their processing activities relate to:

  • Offering goods or services to EU residents; or
  • Monitoring the behaviour of EU residents.

The EDPB (European Data Protection Board)’s draft guidelines on the GDPR’s territorial scope can be found here.

Find out more about GDPR compliance

What is a data breach under the GDPR?

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.

Find out more about GDPR compliance

What is the difference between personal data and sensitive data under the GDPR?

Personal data is any information relating to an identified or identifiable natural person (data subject).

Sensitive data – or ‘special categories of personal data’ under the GDPR – is:

  • Data that reveals data subjects’ racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data (when used to identify a data subject);
  • Data concerning health; and
  • Data concerning a data subject’s sex life or sexual orientation.

Sensitive data must not be processed except in certain circumstances.

Find out more about GDPR compliance

What is the difference between a data processor and a data controller under the GDPR?

A data controller is the “natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data”.
A data processor is the “natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller”.

Find out more about GDPR compliance

LEARN
FOR LESS
SAVE 25%