This website uses cookies. View our cookie policy
Close
United Kingdom
Select regional store:

GDPR FAQ – Scope

What sort of data processing does the GDPR apply to?

The GDPR applies to the processing of personal data wholly or partly by automated means, and processing other than by automated means of personal data that forms part of, or is intended to be part of, a filing system (whether physical or electronic).

‘Processing’ includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, disclosure, etc. of personal data.

Find out more about GDPR compliance >>


How does the GDPR define personal data?

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”

An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Find out more about GDPR compliance >>


How does the GDPR affect businesses outside the EU?

The GDPR applies:

  • To all processing that takes place on behalf of data controllers or processors that are established in the EU – irrespective of whether the actual processing takes place within the EU;
  • To the processing of EU residents’ data irrespective of whether the data controllers or processors are within or outside the EU – if the processing activities are related to the offering of goods and services to data subjects in the EU, or the monitoring of the behaviour of data subjects within the EU; and
  • Where member state law applies by virtue of public international law.

The EDPB (European Data Protection Board)’s draft guidelines on the GDPR’s territorial scope can be found here.

Find out more about GDPR compliance >>


What is a data breach under the GDPR?

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (i.e. data in any form).

Find out more about GDPR compliance >>


What is the difference between personal data and sensitive data under the GDPR?

Personal data is any information relating to an identified or identifiable natural person (data subject).

Data that reveals data subjects’ racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data (when used to identify a data subject), data concerning health, and data concerning a data subject’s sex life or sexual orientation are all sensitive data – or ‘special categories of personal data’ under the GDPR – and must not be processed except in certain circumstances.

Find out more about GDPR compliance >>


What is the difference between a data processor and a data controller under the GDPR?

A data controller is the “natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data”.
A data processor is the “natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller”.

Find out more about GDPR compliance >>