Article 2
Material scope

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 2 keyboard_arrow_down Hide the recitals of the Regulation related to article 2 keyboard_arrow_up

(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

(17) Regulation (EC) No 45/2001 of the European Parliament and of the Council applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

(19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for those purposes, be governed by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council. Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security, so that the processing of personal data for those other purposes, in so far as it is within the scope of Union law, falls within the scope of this Regulation.

With regard to the processing of personal data by those competent authorities for purposes falling within scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. Such provisions may determine more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the respective Member State. When the processing of personal data by private bodies falls within the scope of this Regulation, this Regulation should provide for the possibility for Member States under specific conditions to restrict by law certain obligations and rights when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific important interests including public security and the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant for instance in the framework of anti-money laundering or the activities of forensic laboratories.

(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making. It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.

Show the recitals of the Directive related to article 2 keyboard_arrow_down Hide the recitals of the Directive related to article 2 keyboard_arrow_up

(12) Whereas the protection principles must apply to all processing of personal data by any person whose activities are governed by Community law; whereas there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses;

(13) Whereas the acitivities referred to in Titles V and VI of the Treaty on European Union regarding public safety, defence, State security or the acitivities of the State in the area of criminal laws fall outside the scope of Community law, without prejudice to the obligations incumbent upon Member States under Article 56 (2), Article 57 or Article 100a of the Treaty establishing the European Community; whereas the processing of personal data that is necessary to safeguard the economic well-being of the State does not fall within the scope of this Directive where such processing relates to State security matters;

(14) Whereas, given the importance of the developments under way, in the framework of the information society, of the techniques used to capture, transmit, manipulate, record, store or communicate sound and image data relating to natural persons, this Directive should be applicable to processing involving such data;

(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;

(16) Whereas the processing of sound and image data, such as in cases of video surveillance, does not come within the scope of this Directive if it is carried out for the purposes of public security, defence, national security or in the course of State activities relating to the area of criminal law or of other activities which do not come within the scope of Community law;

(17) Whereas, as far as the processing of sound and image data carried out for purposes of journalism or the purposes of literary or artistic expression is concerned, in particular in the audiovisual field, the principles of the Directive are to apply in a restricted manner according to the provisions laid down in Article 9;

The GDPR

The material scope of the Regulations remain unchanged compared to the Directive: applied to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system (Regulation Art. 2).

The definition of "personal data" in Article 4, 1) of the Regulation is  not really innovative compared to that of the Directive, but is modernized in its attempt to take into account the identifiability of the physical person in question: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

The concept of 'personal data processing” is almost identical to that of the Directive, with two "operations” added ("structuring” and "restriction” that replaced the “blocking"). The notion of “filing system” is strictly identical, namely "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis" (Art. 4, 2).

The list of processing not falling under the Regulation has barely changed in the second paragraph of Article 2.Excluded are the types of processing effected:

- in the course of an activity which falls outside the scope of Community law;

- by a natural person in the course of a purely personal or household activity;

- by the Member States in the context of their activities related to foreign policy and the common policy of the Union, in the meaning of Chapter 2 of title V of the Treaty on the European Union (the only “innovation” compared to the Directive).

Initially, the processing performed by the competent authorities for the purposes of prevention, investigation, detection or prosecution of crime, the enforcement of criminal penalties, including protection against and prevention of threats against public safety did not fall within the scope of the Regulation. However, this exclusion was not maintained in the final version of the Regulation. These types of processing are therefore governed by the Regulation (see the comment on Article 10).

Recital 17 specifies that the processing carried out by the Union institutions, bodies, offices and agencies remain governed by Regulation 45/2001, which will have to be adapted to the principles and rules of the future Regulation.

The Regulation recalls that it does not affect the application of the Directive 2000/31/EC known as “e-commerce”, which aims to ensure the free movement of the information society services between the Member States. The Regulation therefore applies without prejudice to the rules on liability of intermediaries provided for in articles 12 to 15 of Directive 2000/31/EC (see recital 21 and Article 2, paragraph 3 of the Regulation).

The Directive

This Directive was applied to the processing of personal data, wholly or partly automated, and to the non-automated processing of personal data contained or referred to in a file processed by either the public or the private sector.

The concept of automatic processing covered manual records, from the moment where the data are contained or are intended to be contained in a file.

The definitions helping to understand the material scope were therefore logically focused on the concept of "personal data" (Art. 2.a), "personal data processing" (art. 2b) and "personal data filing system” (Art. 2 c).

Article 3, paragraph 2 of the Directive provided two exceptions to its scope: the first exception applied to processing  in the course of an activity which falls outside the scope of Community law, such as those related to public security, defence, state security and the activities of the state in areas of criminal law. The second exception provided for in Article 3, paragraph 2, also deals with the processing by a natural person for the exercise of purely personal or household activities, such as correspondence and maintaining of directories of addresses.

Potential issues

Globally, the material scope of the Regulation remains unchanged compared to the Directive, which is rather reassuring and a source of legal certainty.

It should be noted that the unified definitions from the Directive would give rise to many concerns of interpretation, which were often dispersed by the application of the law of the Member States or by the interpretations given by the supervising authorities and Group 29.

The absence of modifications to the basic definitions of the law is rather reassuring and proves that eventually, they retain technological neutrality more than necessary in the light of the (r)evolutions having modified the process of data processing since 1995. We regret, however, that the notion of data processing has not evolved, in particular in its intrinsic connection with its purpose - still absent from the definition.

Austria

Concerning Art 2 para 1 GDPR: Legislative Power and Enforcement

As the GDPR applies to the processing of personal data wholly or partly by automated means it falls under the legislative power of the Austrian Federation ("Bund"), whereas the GDPR concerning the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system falls under the legislative power of each of the nine Austrian provinces ("Bundesländer").

Concerning Art 2 para 2 lit c GDPR:

The use for private purposes in § 45 DSG is on the one hand narrower than the one in Art 2 ara 2 lit c GDPR, on the other hand there seems to be a difference between "household activities" in the GDPR and "family matters" in the DSG. The DSG is narrower as the data have to be been disclosed by the data subject himself or that been received in a lawful manner. Furthermore, pursuant to the DSG data that are processed by a natural person for purely personal or family matters shall be transmitted for another purpose only with the consent of the data subject, unless expressly provided for otherwise by law.

Concerning Art 2 para 2 lit d GDPR:

The DSG does limit the obligation to notify the application to the Austrian Data Protection Authority (Link to Register) in this context.

Summary

European Union

European Union

CJEU caselaw

C-101/01 (6 November 2003) - Lindqvist

1.    The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes ‘the processing of personal data wholly or partly by automatic means’ within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

2.    Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.

3.    Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.

4.    There is no transfer [of data] to a third country’ within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.

5.    The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.

6.    Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.

Opinion of Advocate general

Judgment of the Court

C-73/07 (16 December 2008) - Satakunnan Markkinapörssi and Satamedia

1.      Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that an activity in which data on the earned and unearned income and the assets of natural persons are:

–        collected from documents in the public domain held by the tax authorities and processed for publication,

–        published alphabetically in printed form by income bracket and municipality in the form of comprehensive lists,

–        transferred onward on CD-ROM to be used for commercial purposes, and

–        processed for the purposes of a text-messaging service whereby mobile telephone users can, by sending a text message containing details of an individual’s name and municipality of residence to a given number, receive in reply information concerning the earned and unearned income and assets of that person,

must be considered as the ‘processing of personal data’ within the meaning of that provision.

2.      Article 9 of Directive 95/46 is to be interpreted as meaning that the activities referred to at points (a) to (d) of the first question, relating to data from documents which are in the public domain under national legislation, must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine.

3.      Activities involving the processing of personal data such as those referred to at points (c) and (d) of the first question and relating to personal data files which contain solely, and in unaltered form, material that has already been published in the media, fall within the scope of application of Directive 95/46.

Opinion of Advocate general

Judgment of the Court

C-212/13 (11 December 2014) - Ryneš

The second indent of Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

Opinion of Advocate general

Judgment of the Court

C- 25/17 (10 July 2018) - Jehovan todistajat

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Article 10(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the collection of personal data by members of a religious community in the course of door-to-door preaching and the subsequent processing of those data does not constitute either the processing of personal data for the purpose of activities referred to in Article 3(2), first indent, of that directive or the processing of personal data carried out by a natural person in the course of a purely personal or household activity, within the meaning of Article 3(2), second indent, thereof.

Opinion of Advocate general

Judgment of the court

C-73/07 (16 December 2008) - Satakunnan Markkinapörssi and Satamedia

1.      Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that an activity in which data on the earned and unearned income and the assets of natural persons are:

  • collected from documents in the public domain held by the tax authorities and processed for publication;
  • published alphabetically in printed form by income bracket and municipality in the form of comprehensive lists;
  • transferred onward on CD-ROM to be used for commercial purposes, and;
  • processed for the purposes of a text-messaging service whereby mobile telephone users can, by sending a text message containing details of an individual’s name and municipality of residence to a given number, receive in reply information concerning the earned and unearned income and assets of that person;

must be considered as the ‘processing of personal data’ within the meaning of that provision.

2.      Article 9 of Directive 95/46 is to be interpreted as meaning that the activities referred to at points (a) to (d) of the first question, relating to data from documents which are in the public domain under national legislation, must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine.

3.      Activities involving the processing of personal data such as those referred to at points (c) and (d) of the first question and relating to personal data files which contain solely, and in unaltered form, material that has already been published in the media, fall within the scope of application of Directive 95/46.

Opinion of Advocate general

Judgment of the Court

C-345/17 (14 February 2019) - Buivids

1.      Article 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive.

2.      Article 9 of Directive 95/46 must be interpreted as meaning that factual circumstances such as those of the case in the main proceedings, that is to say, the video recording of police officers in a police station, while a statement is being made, and the publication of that recorded video on a video website, on which users can send, watch and share videos, may constitute a processing of personal data solely for journalistic purposes, within the meaning of that provision, in so far as it is apparent from that video that the sole object of that recording and publication thereof is the disclosure of information, opinions or ideas to the public, this being a matter which it is for the referring court to determine.

Opinion of Advocate general

Judgment of the Court

C-311/18 (19 December 2020) - Facebook Ireland et Schrems

1.   Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.

2.   Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

3.   Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

4.   Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.

5.   Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Opinion of Advocate general

Judgment of the Court

C-817/19 (21 june 2022)

1. Article 2(2)(d) and Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the processing of personal data envisaged by national legislation intended to transpose, into domestic law, the provisions of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, those of Directive 2010/65/EU of the European Parliament and of the Council of 20 October 2010 on reporting formalities for ships arriving in and/or departing from ports of the Member States and repealing Directive 2002/6/EC and also those of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in respect of, on the one hand, data processing operations carried out by private operators and, on the other hand, data processing operations carried out by public authorities covered, solely or in addition, by Directive 2004/82 or Directive 2010/65. By contrast, the said regulation does not apply to the data processing operations envisaged by such legislation which are covered only by Directive 2016/681 and are carried out by the passenger information unit (PIU) or by the authorities competent for the purposes referred to in Article 1(2) of that directive.

Judgment of the court

Opinion of the advocate general

C-306/21 (20 October 2022) - Koalitsia "Demokratichna Bulgaria - Obedinenie" 

French (not available in English)

1)      L’article 2, paragraphe 2, sous a), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),

doit être interprété en ce sens que :

n’est pas exclu du champ d’application de ce règlement le traitement des données à caractère personnel dans le contexte de l’organisation d’élections dans un État membre.

2)      L’article 6, paragraphe 1, sous e), et l’article 58 du règlement 2016/679,

doivent être interprétés en ce sens que :

ces dispositions ne s’opposent pas à ce que les autorités compétentes d’un État membre adoptent un acte administratif d’application générale qui prévoit la limitation ou, le cas échéant, l’interdiction de l’enregistrement vidéo du dépouillement du scrutin dans les bureaux de vote lors d’élections dans cet État membre.

Arrêt rendu (french)

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 2

1.   This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2.   This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;

(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c) by a natural person in the course of a purely personal or household activity;

(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3.   For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4.   This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

1st proposal close

Art. 2

1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;

(b) by the Union institutions, bodies, offices and agencies;

(c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of the Treaty on European Union;

(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;

(e) by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

3. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

2nd proposal close

Art. 2

1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data :

(a) in the course of an activity which falls outside the scope of Union law (...);

(b) by the Union institutions, bodies, offices and agencies ;

(c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union;

(d) by a natural person (...) in the course of (...) a personal or household activity;

(e) by competent (...) authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or the safeguarding against and the prevention of threats to public security.

 3. (...).

Directive close

Art. 3 

1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Directive shall not apply to the processing of personal data:

- in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,

- by a natural person in the course of a purely personal or household activity.

All of the following in force until and after May 25, 2018:


(Constitutional Provision)

Legislative power and enforcement

§ 2 DSG

(1) The Federal Government ("Bund") shall have the power to pass laws concerning the protection of personal data that are automatically processed.

(2) The Federal Government shall have the power to execute such federal laws. Insofar as such data are used by a province, on behalf of a province, by or on behalf of legal persons established by law and whose establishment falls within the powers of the provinces regarding execution, these federal laws shall be executed by the provinces unless their execution has been entrusted to the Data Protection Authority, the Data Protection Council or the courts by federal law.

All of the following in force since May 25, 2018:


§ 4 DSG

[...]

(7) Insofar as manual filing systems, i.e., filing systems managed without automatic processing, exist for the purposes of matters in which the Federal Government has the power to pass laws, these files are deemed to be data processing operations as referred to in the General Data Protection Regulation and in this federal law.

Old law close

In force until and after May 25, 2018:


(Constitutional Provision)

Legislative Power and Enforcement

§ 2 DSG 2000

(1) The Federation ["Bund"] shall have power to pass laws concerning the protection of personal data that are automatically processed.

(2) The Federation shall have power to execute such federal laws. Insofar as such data are used by a province ["Bundesland"], on behalf of a province, by or on behalf of legal persons established by law within the powers of the provinces these federal laws shall be executed by the provinces unless the execution has been entrusted by federal law to the Data Protection Authority, the Data Protection Council or the courts.

All of the following in force until May 25, 2018:


Manual Filing Systems

§ 58 DSG 2000

Insofar as manual filing systems, i.e., filing systems managed without automatic processing, exist for such purposes and fields where the Federation has the power to pass laws, they are deemed to be data applications [according to § 4 sub-para. 7. § 17 shall apply insofar as the obligation to notification applies only to those filing systems whose content is subject to prior checking according to § 18 para. 2.


Private Purposes

§ 45 DSG 2000

(1) Natural persons shall be permitted to process data for purely personal or family matters that have been disclosed to them by the data subject himself or that they have received in a lawful manner, in particular in accordance with § 7 para. 2.

(2) Data that are processed by a natural person for purely personal or family matters shall be transmitted for another purpose only with the consent of the data subject, unless expressly provided for otherwise by law.


Duty of the Controller to Notify

§ 17 DSG 2000

[...]

(3) Furthermore, data applications for the purpose of

1. protecting the constitutional institutions of the Republic of Austria or

2. safeguarding the operational readiness of the federal army or

3. safeguarding the interests of comprehensive national defence or

4. protecting important foreign policy, economic or financial interests of the Republic of Austria or the European Union

5. preventing and prosecuting of crimes

shall be exempt from the duty to notify, insofar as this is necessary to achieve the purpose of the data application.

close