The GDPR
The material scope of the Regulations remain unchanged compared to the Directive: applied to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system (Regulation Art. 2).
The definition of "personal data" in Article 4, 1) of the Regulation is not really innovative compared to that of the Directive, but is modernized in its attempt to take into account the identifiability of the physical person in question: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The concept of 'personal data processing” is almost identical to that of the Directive, with two "operations” added ("structuring” and "restriction” that replaced the “blocking"). The notion of “filing system” is strictly identical, namely "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis" (Art. 4, 2).
The list of processing not falling under the Regulation has barely changed in the second paragraph of Article 2.Excluded are the types of processing effected:
- in the course of an activity which falls outside the scope of Community law;
- by a natural person in the course of a purely personal or household activity;
- by the Member States in the context of their activities related to foreign policy and the common policy of the Union, in the meaning of Chapter 2 of title V of the Treaty on the European Union (the only “innovation” compared to the Directive).
Initially, the processing performed by the competent authorities for the purposes of prevention, investigation, detection or prosecution of crime, the enforcement of criminal penalties, including protection against and prevention of threats against public safety did not fall within the scope of the Regulation. However, this exclusion was not maintained in the final version of the Regulation. These types of processing are therefore governed by the Regulation (see the comment on Article 10).
Recital 17 specifies that the processing carried out by the Union institutions, bodies, offices and agencies remain governed by Regulation 45/2001, which will have to be adapted to the principles and rules of the future Regulation.
The Regulation recalls that it does not affect the application of the Directive 2000/31/EC known as “e-commerce”, which aims to ensure the free movement of the information society services between the Member States. The Regulation therefore applies without prejudice to the rules on liability of intermediaries provided for in articles 12 to 15 of Directive 2000/31/EC (see recital 21 and Article 2, paragraph 3 of the Regulation).
The Directive
This Directive was applied to the processing of personal data, wholly or partly automated, and to the non-automated processing of personal data contained or referred to in a file processed by either the public or the private sector.
The concept of automatic processing covered manual records, from the moment where the data are contained or are intended to be contained in a file.
The definitions helping to understand the material scope were therefore logically focused on the concept of "personal data" (Art. 2.a), "personal data processing" (art. 2b) and "personal data filing system” (Art. 2 c).
Article 3, paragraph 2 of the Directive provided two exceptions to its scope: the first exception applied to processing in the course of an activity which falls outside the scope of Community law, such as those related to public security, defence, state security and the activities of the state in areas of criminal law. The second exception provided for in Article 3, paragraph 2, also deals with the processing by a natural person for the exercise of purely personal or household activities, such as correspondence and maintaining of directories of addresses.
Potential issues
Globally, the material scope of the Regulation remains unchanged compared to the Directive, which is rather reassuring and a source of legal certainty.
It should be noted that the unified definitions from the Directive would give rise to many concerns of interpretation, which were often dispersed by the application of the law of the Member States or by the interpretations given by the supervising authorities and Group 29.
The absence of modifications to the basic definitions of the law is rather reassuring and proves that eventually, they retain technological neutrality more than necessary in the light of the (r)evolutions having modified the process of data processing since 1995. We regret, however, that the notion of data processing has not evolved, in particular in its intrinsic connection with its purpose - still absent from the definition.
Austria
Concerning Art 2 para 1 GDPR: Legislative Power and Enforcement
As the GDPR applies to the processing of personal data wholly or partly by automated means it falls under the legislative power of the Austrian Federation ("Bund"), whereas the GDPR concerning the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system falls under the legislative power of each of the nine Austrian provinces ("Bundesländer").
Concerning Art 2 para 2 lit c GDPR:
The use for private purposes in § 45 DSG is on the one hand narrower than the one in Art 2 ara 2 lit c GDPR, on the other hand there seems to be a difference between "household activities" in the GDPR and "family matters" in the DSG. The DSG is narrower as the data have to be been disclosed by the data subject himself or that been received in a lawful manner. Furthermore, pursuant to the DSG data that are processed by a natural person for purely personal or family matters shall be transmitted for another purpose only with the consent of the data subject, unless expressly provided for otherwise by law.
Concerning Art 2 para 2 lit d GDPR:
The DSG does limit the obligation to notify the application to the Austrian Data Protection Authority (Link to Register) in this context.
European Union
CJEU caselaw
C-101/01 (6 November 2003) - Lindqvist
1. The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
2. Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.
3. Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
4. There is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.
5. The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.
6. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.
Opinion of Advocate general
Judgment of the Court
C-73/07 (16 December 2008) - Satakunnan Markkinapörssi and Satamedia
1. Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that an activity in which data on the earned and unearned income and the assets of natural persons are:
– collected from documents in the public domain held by the tax authorities and processed for publication,
– published alphabetically in printed form by income bracket and municipality in the form of comprehensive lists,
– transferred onward on CD-ROM to be used for commercial purposes, and
– processed for the purposes of a text-messaging service whereby mobile telephone users can, by sending a text message containing details of an individual’s name and municipality of residence to a given number, receive in reply information concerning the earned and unearned income and assets of that person,
must be considered as the ‘processing of personal data’ within the meaning of that provision.
2. Article 9 of Directive 95/46 is to be interpreted as meaning that the activities referred to at points (a) to (d) of the first question, relating to data from documents which are in the public domain under national legislation, must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine.
3. Activities involving the processing of personal data such as those referred to at points (c) and (d) of the first question and relating to personal data files which contain solely, and in unaltered form, material that has already been published in the media, fall within the scope of application of Directive 95/46.
Opinion of Advocate general
Judgment of the Court
C-212/13 (11 December 2014) - Ryneš
The second indent of Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.
Opinion of Advocate general
Judgment of the Court
C- 25/17 (10 July 2018) - Jehovan todistajat
Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Article 10(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the collection of personal data by members of a religious community in the course of door-to-door preaching and the subsequent processing of those data does not constitute either the processing of personal data for the purpose of activities referred to in Article 3(2), first indent, of that directive or the processing of personal data carried out by a natural person in the course of a purely personal or household activity, within the meaning of Article 3(2), second indent, thereof.
Opinion of Advocate general
Judgment of the court
C-73/07 (16 December 2008) - Satakunnan Markkinapörssi and Satamedia
1. Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is to be interpreted as meaning that an activity in which data on the earned and unearned income and the assets of natural persons are:
- collected from documents in the public domain held by the tax authorities and processed for publication;
- published alphabetically in printed form by income bracket and municipality in the form of comprehensive lists;
- transferred onward on CD-ROM to be used for commercial purposes, and;
- processed for the purposes of a text-messaging service whereby mobile telephone users can, by sending a text message containing details of an individual’s name and municipality of residence to a given number, receive in reply information concerning the earned and unearned income and assets of that person;
must be considered as the ‘processing of personal data’ within the meaning of that provision.
2. Article 9 of Directive 95/46 is to be interpreted as meaning that the activities referred to at points (a) to (d) of the first question, relating to data from documents which are in the public domain under national legislation, must be considered as activities involving the processing of personal data carried out ‘solely for journalistic purposes’, within the meaning of that provision, if the sole object of those activities is the disclosure to the public of information, opinions or ideas. Whether that is the case is a matter for the national court to determine.
3. Activities involving the processing of personal data such as those referred to at points (c) and (d) of the first question and relating to personal data files which contain solely, and in unaltered form, material that has already been published in the media, fall within the scope of application of Directive 95/46.
Opinion of Advocate general
Judgment of the Court
C-345/17 (14 February 2019) - Buivids
1. Article 3 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive.
2. Article 9 of Directive 95/46 must be interpreted as meaning that factual circumstances such as those of the case in the main proceedings, that is to say, the video recording of police officers in a police station, while a statement is being made, and the publication of that recorded video on a video website, on which users can send, watch and share videos, may constitute a processing of personal data solely for journalistic purposes, within the meaning of that provision, in so far as it is apparent from that video that the sole object of that recording and publication thereof is the disclosure of information, opinions or ideas to the public, this being a matter which it is for the referring court to determine.
Opinion of Advocate general
Judgment of the Court
C-311/18 (19 December 2020) - Facebook Ireland et Schrems
1. Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
2. Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
3. Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
4. Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.
5. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Opinion of Advocate general
Judgment of the Court
C-817/19 (21 june 2022)
1. Article 2(2)(d) and Article 23 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the processing of personal data envisaged by national legislation intended to transpose, into domestic law, the provisions of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data, those of Directive 2010/65/EU of the European Parliament and of the Council of 20 October 2010 on reporting formalities for ships arriving in and/or departing from ports of the Member States and repealing Directive 2002/6/EC and also those of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in respect of, on the one hand, data processing operations carried out by private operators and, on the other hand, data processing operations carried out by public authorities covered, solely or in addition, by Directive 2004/82 or Directive 2010/65. By contrast, the said regulation does not apply to the data processing operations envisaged by such legislation which are covered only by Directive 2016/681 and are carried out by the passenger information unit (PIU) or by the authorities competent for the purposes referred to in Article 1(2) of that directive.
Judgment of the court
Opinion of the advocate general
C-306/21 (20 October 2022) - Koalitsia "Demokratichna Bulgaria - Obedinenie"
French (not available in English)
1) L’article 2, paragraphe 2, sous a), du règlement (UE) 2016/679 du Parlement européen et du Conseil, du 27 avril 2016, relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données),
doit être interprété en ce sens que :
n’est pas exclu du champ d’application de ce règlement le traitement des données à caractère personnel dans le contexte de l’organisation d’élections dans un État membre.
2) L’article 6, paragraphe 1, sous e), et l’article 58 du règlement 2016/679,
doivent être interprétés en ce sens que :
ces dispositions ne s’opposent pas à ce que les autorités compétentes d’un État membre adoptent un acte administratif d’application générale qui prévoit la limitation ou, le cas échéant, l’interdiction de l’enregistrement vidéo du dépouillement du scrutin dans les bureaux de vote lors d’élections dans cet État membre.
Arrêt rendu (french)
Retour au sommaire
Retour au sommaire