The GDPR applies to the processing of personal data:
wholly or partly by automated means;
other than by automated means, where the personal data form part of a filing system;
or where the personal data is intended to form part of a filing system.
Automated processing is any digital processing of personal data. Non-automated processing only occurs when personal data is recorded and stored in paper form only.
The GDPR does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law,
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of penalties, including the safeguarding against and the prevention of threats to public security.
In what situations does the GDPR apply?
The GDPR applies to the processing of personal data in three situations (unless the grounds for excluding its application set out in GDPR Article 2(2) or Article 3 arise – we write about these later in the commentary):
where the processing of personal data is carried out wholly or partly by automatic means;
where the processing of personal data is carried out by other than automated means, but the personal data processed form part of a filing system;
where the processing of personal data is carried out wholly or partly by means other than automated means, but the processed personal data is to form part of a filing system.
If any of the above scenarios apply to data processing activities, the entity processing data will be subject to the GDPR in carrying out those activities and will be required to comply with the GDPR (unless one of the above exclusions applies to the data processing activity).
When is personal data processed by automated means?
As a general rule, the GDPR will always apply to situations where the processing of personal data is carried out by wholly or partly automated means.
The GDPR does not provide a definition of “automated processing”. From a practical point of view, it can be assumed that “automated processing” is subject to the GDPR whenever there is digital processing of personal data (which includes the collection, organisation, analysis or storage of data) using computers, smartphones and other mobile devices, software, web applications, IT systems, hard disks, cloud computing, the Internet, telephone, image or sound or other human (biometric) characteristics recording, Internet of Things or Internet of Bodies solutions, and tracking devices including GPS.
As far as semi-automated data processing is concerned, it can be assumed (with some simplification) that it occurs if the processing is carried out digitally, even if only partially (e.g. only one stage of data processing, such as data collection, transmission or storage, is carried out digitally).
Processing by non-automated means occurs when it is carried out without the use of digital solutions, for example in a way that personal data is entirely recorded and stored in paper form. Importantly, if digital means (e.g. computers or scanners) are used to process such data at any stage, the processing is considered to be carried out by automated means, even if only partially, for the purposes of the GDPR.
What is a “filing system” and when does it include personal data? When does the GDPR apply to non-automated data processing?
The GDPR will apply to non-automated processing of personal data, including when the personal data being processed is part of a filing system. In practice, this means that the GDPR does not only apply to personal data that is processed in an entirely analogue form (i.e. without any involvement of digital means or solutions) and, at the same time, is not and is not intended to be part of a filing system (this is discussed in more detail below).
As defined in the GDPR, a “filing system”' is a structured set of personal data that is accessible according to certain criteria, regardless of whether that set is centralised, decentralised or distributed on a functional or geographical basis. At the same time, Recital 15 of the GDPR indicates that files or sets of files and their cover pages that are not structured according to specific criteria should not fall within the scope of the GDPR.
From a practical point of view, filing systems within the meaning of the GDPR are, in principle, all files, archives, books, registers and databases containing personal data. The key criterion for distinguishing a filing system from other filing systems outside the scope of the GDPR is whether the data collected in a particular set contains personal data, and whether it is accessible according to certain criteria. The GDPR does not specify what these criteria are, nor to what level of detail their accessibility should be structured or organised. Thus, only those sets, bases or archives containing personal data that is completely unstructured according to any criteria, even the most general, and therefore not accessible according to any criteria, can be considered as not being datasets in the sense of the GDPR. It seems that, in practice, private entities will rarely have such completely unstructured datasets.
On the other hand, personal data is part of a filing system if it is contained (recorded) in the dataset or in elements forming part of it (e.g. in a document belonging to the dataset in the form of an archive).
To summarise:
The GDPR applies to the processing of personal data (even if it is not carried out even partially digitally) if the data is directly recorded or contained in an element (e.g. a document) included in a set organised or maintained in such a way as to allow access to the data contained therein according to any established criteria, even the most general ones.
The GDPR does not apply to the processing of personal data that is not digitally processed, even to a minimal extent, and at the same time is not (and is not intended to be – as further elaborated below) included in any way in a set which is organised or maintained in such a way that it allows access to the data contained therein according to any established criteria, even the most general ones.
When does personal data constitute a filing system? When does the GDPR apply to non-automated processing of data that not form part of a filing system?
The GDPR also applies to personal data processed in an non-automated manner, for example whenpersonal data is intended to form part of a filing system.
At the same time, the GDPR does not clarify who should assess whether certain data should form part of a filing system and how. The lack of precise guidance leads to difficulties of interpretation and poses a practical problem in situations where personal data is processed in a fully analogous manner and, at the same time, does not form part of a dataset. Indeed, in principle, any personal data processed in an analogous manner may potentially become an element of a dataset maintained by the data collector or by another entity. Therefore, does the mere fact that personal data may potentially be an element of a dataset (i.e., in particular, have the characteristics that enable them to be included in the dataset) give rise to the affirmation that the data is intended to become an element of a dataset (even if not at the moment of its collection, but, for example, in the future)? This has important implications.
As the doctrine rightly points out,
linking the protection of personal data or privacy more broadly with the need to include or designate personal data in datasets is not only a certain archaism, but would also lead to a protection gap, especially as it should be irrelevant for the data subject whether the controller processing his or her data intends to include it in a dataset or not (D. Lubasz [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa [ed.], Warsaw 2018, Article 2).
The cited authors also point out – particularly in view of the aforementioned protection gap – that:
the explicit wording of Article 2(1) in fine does not allow the concept of a set to be completely excluded from the interpretation process, but in my opinion it does allow the thesis that the Regulation is already applicable in the case where it is possible that the processed data can be found in a dataset, regardless of whether it is ultimately found in it (D. Lubasz [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa [ed.], Warsaw 2018, Article 2).
It also seems correct to assume that the assessment of whether certain data should be part of a dataset cannot be separated from the particular case of processing (e.g. D. Lubasz [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa [ed.], Warsaw 2018, Article 2:
At the same time, it should be resolved that the analysis of the possibility of including the processed data in the set cannot be carried out in the abstract, as the premise of the actual or potential inclusion of the data in the set would lose any legal significance. It is therefore necessary to share the view expressed on the basis of the provisions in force until now, while at the same time confirming its validity in the sense that the assessment should be relative and that the individual circumstances of a particular case should be taken into account).
In light of the above, it would seem that where certain data is not digitally processed and at the same time is not part of a filing system, while the circumstances of the case indicate that the processing is intended to lead to the inclusion of that data in a filing system, or that the data could potentially be included in a filing system, there is in practice a significant risk in practice that such personal data will fall within the scope of the GDPR.
To which types of processing of personal data the GDPR does not apply?
The GDPR does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law,
by Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of penalties, including the protection against and prevention of threats to public security.
When does the processing of personal data relate to activities outside the scope of EU law?
This exclusion primarily applies to the processing of personal data carried out in the framework of national security activities of Member States (see P. Fajgielski, Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 2). Therefore, this exclusion does not apply to data processing by private entities.
What is the processing of personal data by Member States in the exercise of activities falling within the scope of Title V of Chapter 2 of the TEU?
Title V of Chapter 2 of the EU Treaty concerns the common foreign and security policy. The activities of Member States and their bodies in relation to the processing of personal data carried out in the implementation of the EU's Common Foreign and Security Policy are not subject to the provisions of the GDPR. This exception therefore does not apply to the processing of data by private parties.
When is the processing of personal data carried out by a natural person in the context of an activity of a purely personal or household nature?
For a particular processing of personal data to fall outside the scope of the GDPR, both of the following conditions must be met:
The processing is carried out by a natural person;
The processing is carried in the course of an activity of a purely personal or household nature.
As can be seen, in order for the discussed exclusion to apply, the processing of personal data should be carried out by a natural person on his or her own behalf and for the purposes specified by that natural person. In other words, the application in question will never concern the processing of personal data carried out by legal persons (e.g. companies) or similar organisational units.
Activities of a purely personal or household nature are not defined in the GDPR. As a result, doubts may arise as to when a natural person carries out data processing in the context of such activities. This question often requires in-depth analysis of individual factual situations.
However, from a practical point of view, the following general guidelines can be formulated in order to assess the applicability of the relevant exclusion:
If a natural person carries out certain data processing in the context of his or her professional, commercial or business activities, such processing is not covered by the exclusion in question and the GDPR applies to it.
The use of the term “purely” indicates that the exclusion in question can be applied to data processed only in the context of activities of a personal or household nature. This means that processing carried out by a natural person not only in the context of activities of a personal or household nature should not be covered by the exclusion in question, and the GDPR should apply to it.
According to Recital 18 of the GDPR, “personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken in the context of such activities”. The processing of personal data by a natural person should therefore be covered by this exclusion from the application of the GDPR if:
it is carried out exclusively in his or her private correspondence;
it concerns him or her keeping addresses for private purposes;
it is carried out by him or her for the sole purpose of social networking;
it is carried out by him or her part of his or her online pursuits of a purely personal or household nature.
In order to assess whether the processing in question is carried out in the context of activities of a personal or household nature, it is necessary to take a global view of the scope, intensity and nature of the processing in question. Indeed, it may turn out that processing, the purpose of which appears, in principle, to fall within the scope of processing of a personal or household nature, goes beyond that scope (and thus falls within the scope of the GDPR) if it is carried out on an unreasonably wide scale.
For example, in a decision of 23 December 2019 (DKE.440.72.2019), the Polish Office for the Protection of Personal Data stated that
the provision of Article 2(2c) of Regulation 2016/679 must be interpreted as meaning that the use of a system of cameras that store images of persons on a continuous recording device, such as a hard drive, installed by a natural person in his or her family home in order to protect the property, health and life of the owners of the home, a system that monitors a public space, does not constitute data processing in the course of activities of a purely personal or household nature within the meaning of this provision.
This means that the surveillance of a natural person’s private space by means of cameras is in principle covered by this exclusion from the application of the GDPR, but not if this surveillance also covers the public space adjacent to the private space.
Commentary on art. 2
Material scope
In what situations does the GDPR apply?
The GDPR applies to the processing of personal data in three situations (unless the grounds for excluding its application set out in GDPR Article 2(2) or Article 3 arise – we write about these later in the commentary):
If any of the above scenarios apply to data processing activities, the entity processing data will be subject to the GDPR in carrying out those activities and will be required to comply with the GDPR (unless one of the above exclusions applies to the data processing activity).
When is personal data processed by automated means?
As a general rule, the GDPR will always apply to situations where the processing of personal data is carried out by wholly or partly automated means.
The GDPR does not provide a definition of “automated processing”. From a practical point of view, it can be assumed that “automated processing” is subject to the GDPR whenever there is digital processing of personal data (which includes the collection, organisation, analysis or storage of data) using computers, smartphones and other mobile devices, software, web applications, IT systems, hard disks, cloud computing, the Internet, telephone, image or sound or other human (biometric) characteristics recording, Internet of Things or Internet of Bodies solutions, and tracking devices including GPS.
As far as semi-automated data processing is concerned, it can be assumed (with some simplification) that it occurs if the processing is carried out digitally, even if only partially (e.g. only one stage of data processing, such as data collection, transmission or storage, is carried out digitally).
Processing by non-automated means occurs when it is carried out without the use of digital solutions, for example in a way that personal data is entirely recorded and stored in paper form. Importantly, if digital means (e.g. computers or scanners) are used to process such data at any stage, the processing is considered to be carried out by automated means, even if only partially, for the purposes of the GDPR.
What is a “filing system” and when does it include personal data? When does the GDPR apply to non-automated data processing?
The GDPR will apply to non-automated processing of personal data, including when the personal data being processed is part of a filing system. In practice, this means that the GDPR does not only apply to personal data that is processed in an entirely analogue form (i.e. without any involvement of digital means or solutions) and, at the same time, is not and is not intended to be part of a filing system (this is discussed in more detail below).
As defined in the GDPR, a “filing system”' is a structured set of personal data that is accessible according to certain criteria, regardless of whether that set is centralised, decentralised or distributed on a functional or geographical basis. At the same time, Recital 15 of the GDPR indicates that files or sets of files and their cover pages that are not structured according to specific criteria should not fall within the scope of the GDPR.
From a practical point of view, filing systems within the meaning of the GDPR are, in principle, all files, archives, books, registers and databases containing personal data. The key criterion for distinguishing a filing system from other filing systems outside the scope of the GDPR is whether the data collected in a particular set contains personal data, and whether it is accessible according to certain criteria. The GDPR does not specify what these criteria are, nor to what level of detail their accessibility should be structured or organised. Thus, only those sets, bases or archives containing personal data that is completely unstructured according to any criteria, even the most general, and therefore not accessible according to any criteria, can be considered as not being datasets in the sense of the GDPR. It seems that, in practice, private entities will rarely have such completely unstructured datasets.
On the other hand, personal data is part of a filing system if it is contained (recorded) in the dataset or in elements forming part of it (e.g. in a document belonging to the dataset in the form of an archive).
To summarise:
When does personal data constitute a filing system? When does the GDPR apply to non-automated processing of data that not form part of a filing system?
The GDPR also applies to personal data processed in an non-automated manner, for example when personal data is intended to form part of a filing system.
At the same time, the GDPR does not clarify who should assess whether certain data should form part of a filing system and how. The lack of precise guidance leads to difficulties of interpretation and poses a practical problem in situations where personal data is processed in a fully analogous manner and, at the same time, does not form part of a dataset. Indeed, in principle, any personal data processed in an analogous manner may potentially become an element of a dataset maintained by the data collector or by another entity. Therefore, does the mere fact that personal data may potentially be an element of a dataset (i.e., in particular, have the characteristics that enable them to be included in the dataset) give rise to the affirmation that the data is intended to become an element of a dataset (even if not at the moment of its collection, but, for example, in the future)? This has important implications.
As the doctrine rightly points out,
The cited authors also point out – particularly in view of the aforementioned protection gap – that:
It also seems correct to assume that the assessment of whether certain data should be part of a dataset cannot be separated from the particular case of processing (e.g. D. Lubasz [in:] GDPR. General Data Protection Regulation. Commentary, E. Bielak-Jomaa [ed.], Warsaw 2018, Article 2:
In light of the above, it would seem that where certain data is not digitally processed and at the same time is not part of a filing system, while the circumstances of the case indicate that the processing is intended to lead to the inclusion of that data in a filing system, or that the data could potentially be included in a filing system, there is in practice a significant risk in practice that such personal data will fall within the scope of the GDPR.
To which types of processing of personal data the GDPR does not apply?
The GDPR does not apply to the processing of personal data:
When does the processing of personal data relate to activities outside the scope of EU law?
This exclusion primarily applies to the processing of personal data carried out in the framework of national security activities of Member States (see P. Fajgielski, Commentary to Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (General Data Protection Regulation) [in:] General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd edition, Warsaw 2022, Article 2). Therefore, this exclusion does not apply to data processing by private entities.
What is the processing of personal data by Member States in the exercise of activities falling within the scope of Title V of Chapter 2 of the TEU?
Title V of Chapter 2 of the EU Treaty concerns the common foreign and security policy. The activities of Member States and their bodies in relation to the processing of personal data carried out in the implementation of the EU's Common Foreign and Security Policy are not subject to the provisions of the GDPR. This exception therefore does not apply to the processing of data by private parties.
When is the processing of personal data carried out by a natural person in the context of an activity of a purely personal or household nature?
For a particular processing of personal data to fall outside the scope of the GDPR, both of the following conditions must be met:
As can be seen, in order for the discussed exclusion to apply, the processing of personal data should be carried out by a natural person on his or her own behalf and for the purposes specified by that natural person. In other words, the application in question will never concern the processing of personal data carried out by legal persons (e.g. companies) or similar organisational units.
Activities of a purely personal or household nature are not defined in the GDPR. As a result, doubts may arise as to when a natural person carries out data processing in the context of such activities. This question often requires in-depth analysis of individual factual situations.
However, from a practical point of view, the following general guidelines can be formulated in order to assess the applicability of the relevant exclusion:
In order to assess whether the processing in question is carried out in the context of activities of a personal or household nature, it is necessary to take a global view of the scope, intensity and nature of the processing in question. Indeed, it may turn out that processing, the purpose of which appears, in principle, to fall within the scope of processing of a personal or household nature, goes beyond that scope (and thus falls within the scope of the GDPR) if it is carried out on an unreasonably wide scale.
For example, in a decision of 23 December 2019 (DKE.440.72.2019), the Polish Office for the Protection of Personal Data stated that
This means that the surveillance of a natural person’s private space by means of cameras is in principle covered by this exclusion from the application of the GDPR, but not if this surveillance also covers the public space adjacent to the private space.