The EU General Data Protection Regulation (GDPR) affects millions of businesses. The GDPR is wide-reaching in many different ways:
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
We're going to look at the circumstances in which you might not need to obey this particular law.
The GDPR applies to all companies in the EU. It also applies to companies who have no office or employees in the EU. But it doesn't apply to every company in the world.
Article 3 of the GDPR states that the GDPR applies to any company, anywhere in the world, that:
Let's see whether either of these conditions applies to your company.
It's relatively simple to determine whether your company offers goods and services in the EU.
Some companies feel the need to block EU users from their website. They're worried they'll be accused of "offering goods and services in the EU." This shouldn't normally be necessary. A company's website may be accessible in the EU. However, this is not enough in itself.
Recital 23 of the GDPR lists some relevant factors used to determine whether a company is "offering goods and services" in the EU:
Intention is important. For example, let's take that first point.
Many European languages are, obviously, spoken outside of the EU. Taken in isolation, using English or Spanish on your website is not in itself a sign of a company's target market. Using Finnish or Maltese might be a different matter.
It should be easy for you to determine whether your company offers goods and services to EU customers. Some common indications are:
It's also fairly simple to determine whether you're "monitoring the behavior" of people in the EU. However, it's possible to do this by accident.
When the GDPR speaks of "monitoring people's behavior," this includes using cookies. Targeted advertising involves tracking a person's activities online, and building up a profile of their preferences. This is also known as "profiling."
It's easy to get caught out if your company uses tracking cookies on its website. For example, if you run Facebook retargeting ads, or your app runs Google AdMob, this qualifies as monitoring people's behavior.
If EU users are likely to be caught up in your ad campaigns, the GDPR applies to you. Your intention is not relevant in this case.
The GDPR defines personal data broadly. But it's important to remember that not all data is personal data.
Article 4 of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." An "identifiable natural person" means a living individual. Personal data can relate to an individual directly or indirectly (in combination with other data).
Examples of personal data include:
This definition extends very far. For example, it even includes IP addresses.
An IP address is the string of numbers that identifies a device as it connects to the internet. Even a dynamic IP address, which changes each time a person logs on, can be personal data under the GDPR.
Think about that for a moment. How can something as obscure as a dynamic IP address be considered personal data?
The answer comes from the legal case of Breyer v Germany. The case involved a website admin who had logged the IP address of visitors to his website. The question was whether this was a set of personal data or just a list of numbers.
The IP addresses alone could not reveal who had visited the site. However, Internet Service Providers (ISPs) have additional data that can link IP addresses to individual people. Although it's unlikely that the two data sets will ever be matched up, it is possible. This is why IP addresses must be treated as personal data.
This gives you an idea of how "indirect identifiers" work. Just because you can't identify an individual via a piece of information, that doesn't mean it's not personal data.
"Processing" covers any activity that you might carry out on personal data, including sending, storing, or erasing it. You can read more about this in our article What Activities Count as Processing Under the GDPR?
Recital 26 of the GDPR states that the GDPR doesn't apply to anonymous data. This includes data that was once personal data but has been permanently stripped of all identifying information.
But you must be careful here. The GDPR does still apply to:
These methods are not anonymization. Pseudonymized and encrypted data must still be treated as personal data. So long as there is a set of additional information or a key that can be used to re-identify the data, the data is not anonymous.
Anonymous data can never be associated with an individual. Anonymization is often used for numerical data but can also be used in other contexts.
Here's an example. As we've discussed, an IP address can be personal data. However, you might want to log the IP addresses of visitors to your website. This can reveal the location where your website is most popular.
Web analytics provider Matomo allows website admins to collect IP addresses anonymously. It offers three levels of anonymization. Depending on the degree of accuracy required, it is best to choose the option that reveals the least about your visitors:
And here's an example of how non-numerical data might be anonymized, from the Information Commissioner's Office (ICO).
This is the original text:
And here's the same text, anonymized:
So long as you're sure data cannot be associated with a living individual, the GDPR does not apply to it.
Recital 15 of the GDPR tells us that the GDPR is "technologically neutral." The GDPR applies if you're using a computer. And in theory, it can even apply if you're writing with crayons on the back of a napkin.
It's a little more complicated than that. According to Article 2 of the GDPR, the GDPR applies when you're processing personal data:
Automated processing is what computers do. So, if you're using a computer (or other electronic device) to process personal data, you must comply with the GDPR.
To be clear, this includes the following situations:
These are all examples of "automated means" of processing under the GDPR.
This rule also applies where you're processing personal data partly by automated means. If a computer has been used to process a set of personal data at any point during its lifespan, you must comply with the GDPR whenever you're processing that set of personal data.
Processing personal data doesn't require a computer. You can do it the old-fashioned way, by using a paper and pen. This is known as "manual processing."
However, the GDPR does make a distinction here. The GDPR doesn't generally apply to hand-written scraps of paper on someone's desk, even if they contain personal data. The papers must be part of an organized "filing system." Or, they must be intended to be part of such a system.
A "filing system" involves some sort of ordering of the personal data. Examples include:
So, companies can't circumvent the GDPR by using paper records. The rules still apply to paper records.
For example, paper records:
Individuals have some control over paper records containing their personal data. This applies in the same way as with electronic records. If you get a subject access request from a customer, you must provide with copies of both electronic and paper files containing their personal data.
And if you're sending paper records to a non-EU country by international mail, the rules about international data transfers still apply.
The "manual processing" exception is designed to offer some leniency in certain situations. Jotting down notes during a phone call or meeting might not be subject to all of the GDPR's rigorous rules.
However, the context is always key. If you're in any doubt about whether a piece of personal data might be covered by the GDPR, you should assume it will be. This exception doesn't provide an excuse to ignore that pile of old customer records in your bottom drawer.
Unlike many data protection laws, the GDPR isn't aimed at any particular sector or type of company. It's not restricted to commercial or public administration contexts. The GDPR can apply in virtually any context, except one.
Article 2 of the GDPR states that the GDPR doesn't apply to a "purely personal or household activity."
Recital 18 of the GDPR provides some examples of personal and household activities:
Again, you'll need to be very careful before deciding that your data processing falls under this exemption. The key word is "purely."
The legal case of Rynes v Office for Personal Data Protection can help us understand how strict the GDPR can be about this. The case involved Mr. Rynes, who had set up security cameras in his garden. The cameras were designed to monitor his property but also filmed part of a public area.
The Czech Data Protection Authority fined Mr. Rynes for filming members of the public without their consent. Mr. Rynes appealed, arguing that he was covered by the personal and household activities exemption.
The court decided that although the filming was for private purposes, it involved people that were not part of Mr. Rynes' private life. Therefore, Mr. Rynes was not covered by the exemption and had to comply with the GDPR.
There are some other situations in which the GDPR does not apply. These exemptions to the GDPR will vary between EU countries. These exemptions don't apply to many private sector companies.
Here are some examples of where GDPR exemptions can apply:
The GDPR has a broader reach than most laws. You may have realized that your company needs to comply with the GDPR. Or you may have discovered that the GDPR applies to you in an unexpected way.
The GDPR imposes a lot of obligations. Here are some of the most basic things you can do to comply:
You're accountable for your compliance with the GPDR. Now you're aware of the limited exceptions to the law. Start taking steps to comply wherever necessary.
We've looked at some of the areas in which the GDPR might not apply:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 January 2021