Article 2

Material Scope

Overview:

The article defines the scope and applicability of GDPR.
The article states the following

  1. GDPR applies to processing of personal data by automated means or non-automated means.
    An example is, online shopping portal that collects customer name address and credit/debit card information for processing the order placed by the customer. A non-automated processing is where personal data is collected without the use of computers or any technology involved. Example would be a dentist collecting patient data on physical hard copies and storing them in a filing cabinet.
  2. The GDPR is applicable to all data controllers and processors in the EU regardless of the fact that the processing activity is performed within EU or outside.
  3. However GDPR also exempts certain processing activities from the scope such as household activities, law enforcement, national security and all activities that are outside the scope of EU law.

Implementation Guidance

  1. Perform a data discovery exercise to identify whether personal data of EU citizens are involved in any processing activity
  2. Identify the context/purpose of the processing activity to find out whether the same is exempted as per the regulation.
  3. Appoint a Data protection Officer (DPO) if required.

Compliance Checklist

  1. Privacy Policy
  2. Data Discovery
  3. Data Protection Officer (DPO) if required

Examples and Use Cases

  1. An organisation uses a payroll management system for processing the salary of EU citizens (employees).
  2. An online shopping portal collects personal data of EU citizens like name, Address, credit card information for fulfilling the orders placed.
  3. An individual maintaining an address book for personal purposes is exempted from the purview of GDPR.
Scroll to Top