Q&As

Under Article 3 of the General Data Protection Regulation, will all personal data processed ‘in the context of the activities of an establishment of a controller or a processor’ based in the EU fall under the regulation regardless if the personal data in question relates to EEA individuals or not?

read titleRead full title
Produced in partnership with Shobana Iyer of Swan Chambers
Published on LexisPSL on 18/12/2017

The following Information Law Q&A produced in partnership with Shobana Iyer of Swan Chambers provides comprehensive and up to date legal information covering:

  • Under Article 3 of the General Data Protection Regulation, will all personal data processed ‘in the context of the activities of an establishment of a controller or a processor’ based in the EU fall under the regulation regardless if the personal data in question relates to EEA individuals or not?

The General Data Protection Regulation (EU) 2016/679 (the GDPR) applies in all EU Member States from 25 May 2018. Note that in answering this question we have not commented on the detailed exemptions from the scope of the GDPR (eg under Article 2 of the GDPR) nor the proposed scope of the UK’s proposed Data Protection Bill (including the ‘applied GDPR regime’). For further information on that Bill, see Practice Note: The Data Protection Act 2018.

Personal data is defined in Article 4 of the GDPR as ‘any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

The territorial scope of the GDPR is addressed in Article 3 of the GDPR, which expressly states that it ‘applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the union, regardless of whether the processing takes place in the union or not’. Hence, the GDPR would appear to encompass all establish

Popular documents