You can access the official legal text of GDPR via the European Union’s legal database at eur-lex.europa.eu.
Recital (14): Scope of Protection: Natural Persons Covered, Legal Persons Excluded
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.”
1. Scope of Protection
- Subject: Natural persons
- Coverage: Applies regardless of nationality or place of residence
- Context: In relation to the processing of their personal data
2. Exclusion from Scope
- Excluded Entities: Legal persons
- Specifics of Exclusion:
- Undertakings established as legal persons
- Includes:
- Name of the legal person
- Form of the legal person
- Contact details of the legal person
This structure highlights the distinction between who is protected (natural persons) and who is not (legal persons), along with the specific types of data excluded from protection under the Regulation.
Recital (15): Technological Neutrality and Scope of Data Processing under Filing Systems
To avoid loopholes, safeguards for individuals must apply regardless of the technology used. These protections extend to both automated and manual handling of personal data, provided the data is organized or intended to be organized in a structured system. However, unstructured files or documents that lack specific organization criteria are excluded from the Regulation’s scope.
“The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.”
What Falls Within The Regulation?
Structured data: GDPR applies to personal data that is processed in a filing system, meaning any structured set of personal data accessible according to specific criteria.
This includes both automated and manual processing, as long as the data is part of a system that allows retrieval based on identifiable criteria (e.g., alphabetical order, categories, tags).
What Is Not Covered?
Unstructured files: If documents or sets of documents are not organized in a way that allows systematic access to personal data—such as random notes, loose papers, or cover pages without indexing—they fall outside the scope of GDPR.
The key exclusion is based on lack of structure: if there’s no consistent method to retrieve personal data based on specific criteria, the Regulation does not apply.
EU Legal Interpretation
The European Commission and supervisory authorities clarify that the term “filing system” refers to any structured collection of personal data, whether centralized, decentralized, or dispersed functionally or geographically.
The structure must allow specific criteria to be used for accessing personal data—this is the threshold for GDPR applicability.
You can find more detailed interpretation in the European Commission’s legal framework overview
Recital (16): Exclusions from GDPR Scope: National Security and Union Foreign Policy Activities
GDPR does not apply to personal data processing related to activities outside EU law, such as national security.
Recital (17): Alignment of EU Institutional Data Protection Rules with GDPR Framework
Regulation (EC) No 45/2001 sets rules for EU institutions’ data handling and should be updated to align with the newer framework, ensuring consistent and simultaneous application across the Union.
Recital (18): Exemption for Personal and Household Activities; Applicability to Service Providers
The Regulation does not cover personal data processing done by individuals for private or household purposes, as long as it’s unrelated to business or professional activities. Examples include personal communication, maintaining contact lists, or using social media privately. However, the Regulation does apply to any organization or service provider that facilitates such personal data processing.
Recital (19): Distinction Between GDPR and Law Enforcement Directive: Scope, Exceptions, and Member State Flexibility
Personal data used for law enforcement or public security is governed by Directive (EU) 2016/680, not the general data protection regulation (GDPR).
If public authorities collect data under GDPR but later use it for criminal investigations or public safety, they must switch to the rules of the Directive.
However, if those authorities perform tasks unrelated to crime or security—like administrative duties—the GDPR still applies.
Recital (20): Member State Flexibility in Applying GDPR for Public and Private Sector Data Processing
Member States can adjust data protection rules for authorities based on national systems and may restrict certain rights for private entities to safeguard public safety, criminal justice, or national security—especially in areas like anti-money laundering and forensics.
“Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State”.
“This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories”.
Recital (21): Preservation of E-Commerce Directive in Relation to GDPR: Liability and Free Movement of Digital Services
This Regulation does not override the rules in Directive 2000/31/EC, which specifically govern how intermediary service providers (like hosting platforms or internet access providers) are held liable. That Directive remains in force to ensure that digital services—such as online platforms and e-commerce—can move freely and function smoothly across EU Member States.
Recital (22): Territorial Scope of GDPR: Applicability Based on EU Establishment, Not Processing Location
Any organization with a stable and active presence in the EU must follow the GDPR for all personal data processing tied to its EU operations—even if the data is handled outside the EU. This applies regardless of whether the presence is through a branch, office, or subsidiary. What matters is the actual business activity in the EU, not the legal form it takes.
“Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
What Does “Stable and Active Presence” Mean Under EU Interpretation?
The GDPR doesn’t define “establishment” in strict legal terms, but the EU interprets it broadly to ensure effective protection of personal data. Here’s how it’s understood:
Key Criteria For an “Establishment” in the EU:
- Real and effective activity: The organization must be genuinely operating in the EU—not just having a mailbox or a shell presence.
- Stable arrangements: This implies continuity, such as having staff, offices, or infrastructure that support ongoing business operations.
- Legal form is irrelevant: Whether the entity is a branch, subsidiary, or even a representative office doesn’t matter. What counts is the substance of the activity.
Examples of What Qualifies:
- A U.S. company with a sales office in Germany that markets to EU customers.
- A tech firm with a customer support center in Ireland serving EU users.
- An e-commerce platform with EU-based logistics or marketing teams.
What Doesn’t Qualify:
- A company that merely hosts a website accessible in the EU, without targeting EU users.
- Occasional or sporadic business activity without infrastructure or personnel in the EU.
This interpretation was shaped by case law from the Court of Justice of the EU (CJEU), especially the Google Spain case, which emphasized that even non-EU companies must comply with GDPR if their EU establishment is involved in data-related activities.
Google Spain Case: Defining the Territorial Reach of EU Data Protection Law
One of the landmark cases from the Court of Justice of the European Union (CJEU) that clarified the territorial scope of EU data protection law is the Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González case.
You can access the full judgment on EUR-Lex’s official website EUR-Lex.
This case established that EU data protection rules apply to non-EU companies if they operate through an establishment in the EU and process data in connection with that establishment. It also introduced the “right to be forgotten” in the context of search engines.
Recital (23): Applicability of GDPR to Non-EU Entities Offering Goods or Services to Individuals in the Union
To ensure individuals in the EU receive the data protection they are entitled to, the Regulation applies to personal data processing by organizations outside the EU if their activities involve offering goods or services to people within the Union, regardless of whether payment is required. Determining whether an organization targets EU individuals involves assessing whether it clearly intends to offer services in one or more Member States. Simply having a website accessible in the EU, listing contact details, or using a language common in the organization’s home country is not enough. However, using an EU language or currency, enabling purchases in that language, or referencing EU-based customers may indicate such intent.
“…data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.”
Leave a Reply