The EU General Data Protection Regulation (GDPR) affects millions of businesses. The GDPR is wide-reaching in many different ways:
- It applies to companies all over the world
- It covers individual people, charities, and businesses of any size
- It's relevant to a huge range of situations
Because the GDPR is so broad, there is some confusion about when it does and doesn't apply. There's a lot of work to do whenever you fall within the GDPR's scope. Creating a Privacy Policy, getting consent for cookies, appointing an EU Representative.
We're going to look at the circumstances in which you might not need to obey this particular law.
- 1. If You Don't Operate In the EU
- 1.1. Offering Goods and Services
- 1.2. Monitoring Behavior
- 2. If You're Not Processing Personal Data
- 2.1. What Is Personal Data?
- 2.2. Anonymous Data
- 3. If You're Processing Unstructured Paper Records
- 3.1. Processing by Automated Means
- 3.2. Manual Processing
- 4. If You're Processing Personal Data for Domestic Purposes
- 5. Other Exemptions
- 6. What You Need to Do If the GDPR Applies to You
- 7. Summary
If You Don't Operate In the EU
The GDPR applies to all companies in the EU. It also applies to companies who have no office or employees in the EU. But it doesn't apply to every company in the world.
Article 3 of the GDPR states that the GDPR applies to any company, anywhere in the world, that:
- Offers goods and services in the EU (whether paid or for free), or
- Monitors the behavior of people in the EU
Let's see whether either of these conditions applies to your company.
Offering Goods and Services
It's relatively simple to determine whether your company offers goods and services in the EU.
Some companies feel the need to block EU users from their website. They're worried they'll be accused of "offering goods and services in the EU." This shouldn't normally be necessary. A company's website may be accessible in the EU. However, this is not enough in itself.
Recital 23 of the GDPR lists some relevant factors used to determine whether a company is "offering goods and services" in the EU:
- Using a language spoken in an EU country
- Offering payments in a currency used in an EU country
- Mentioning EU customers or users
Intention is important. For example, let's take that first point.
Many European languages are, obviously, spoken outside of the EU. Taken in isolation, using English or Spanish on your website is not in itself a sign of a company's target market. Using Finnish or Maltese might be a different matter.
It should be easy for you to determine whether your company offers goods and services to EU customers. Some common indications are:
- You ship products to the EU
- Your app takes payments from EU customers
- EU users can register an account
Monitoring Behavior
It's also fairly simple to determine whether you're "monitoring the behavior" of people in the EU. However, it's possible to do this by accident.
When the GDPR speaks of "monitoring people's behavior," this includes using cookies. Targeted advertising involves tracking a person's activities online, and building up a profile of their preferences. This is also known as "profiling."
It's easy to get caught out if your company uses tracking cookies on its website. For example, if you run Facebook retargeting ads, or your app runs Google AdMob, this qualifies as monitoring people's behavior.
If EU users are likely to be caught up in your ad campaigns, the GDPR applies to you. Your intention is not relevant in this case.
If You're Not Processing Personal Data
The GDPR defines personal data broadly. But it's important to remember that not all data is personal data.
What Is Personal Data?
Article 4 of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." An "identifiable natural person" means a living individual. Personal data can relate to an individual directly or indirectly (in combination with other data).
Examples of personal data include:
- First and last name
- Address
- Email address
- ID number
- Username
- Online identifier eg cookie ID
This definition extends very far. For example, it even includes IP addresses.
An IP address is the string of numbers that identifies a device as it connects to the internet. Even a dynamic IP address, which changes each time a person logs on, can be personal data under the GDPR.
Think about that for a moment. How can something as obscure as a dynamic IP address be considered personal data?
The answer comes from the legal case of Breyer v Germany. The case involved a website admin who had logged the IP address of visitors to his website. The question was whether this was a set of personal data or just a list of numbers.
The IP addresses alone could not reveal who had visited the site. However, Internet Service Providers (ISPs) have additional data that can link IP addresses to individual people. Although it's unlikely that the two data sets will ever be matched up, it is possible. This is why IP addresses must be treated as personal data.
This gives you an idea of how "indirect identifiers" work. Just because you can't identify an individual via a piece of information, that doesn't mean it's not personal data.
"Processing" covers any activity that you might carry out on personal data, including sending, storing, or erasing it. You can read more about this in our article What Activities Count as Processing Under the GDPR?
Anonymous Data
Recital 26 of the GDPR states that the GDPR doesn't apply to anonymous data. This includes data that was once personal data but has been permanently stripped of all identifying information.
But you must be careful here. The GDPR does still apply to:
- Pseudonymous data - Pseudonymization means replacing all the personal data in a set of data with non-personal data. The data can be associated with an individual using additional information, which must be stored separately and securely.
- Encrypted data - Encryption means scrambling a set of data using cryptographic methods. The data can be unscrambled using a key.
These methods are not anonymization. Pseudonymized and encrypted data must still be treated as personal data. So long as there is a set of additional information or a key that can be used to re-identify the data, the data is not anonymous.
Anonymous data can never be associated with an individual. Anonymization is often used for numerical data but can also be used in other contexts.
Here's an example. As we've discussed, an IP address can be personal data. However, you might want to log the IP addresses of visitors to your website. This can reveal the location where your website is most popular.
Web analytics provider Matomo allows website admins to collect IP addresses anonymously. It offers three levels of anonymization. Depending on the degree of accuracy required, it is best to choose the option that reveals the least about your visitors:
And here's an example of how non-numerical data might be anonymized, from the Information Commissioner's Office (ICO).
This is the original text:
And here's the same text, anonymized:
So long as you're sure data cannot be associated with a living individual, the GDPR does not apply to it.
If You're Processing Unstructured Paper Records
Recital 15 of the GDPR tells us that the GDPR is "technologically neutral." The GDPR applies if you're using a computer. And in theory, it can even apply if you're writing with crayons on the back of a napkin.
It's a little more complicated than that. According to Article 2 of the GDPR, the GDPR applies when you're processing personal data:
- By "automated means," or
- Manually, if the personal data is part of (or is intended to be part of) a "filing system"
Processing by Automated Means
Automated processing is what computers do. So, if you're using a computer (or other electronic device) to process personal data, you must comply with the GDPR.
To be clear, this includes the following situations:
- Sending an email
- Writing a document
- Collecting information via a website
These are all examples of "automated means" of processing under the GDPR.
This rule also applies where you're processing personal data partly by automated means. If a computer has been used to process a set of personal data at any point during its lifespan, you must comply with the GDPR whenever you're processing that set of personal data.
Manual Processing
Processing personal data doesn't require a computer. You can do it the old-fashioned way, by using a paper and pen. This is known as "manual processing."
However, the GDPR does make a distinction here. The GDPR doesn't generally apply to hand-written scraps of paper on someone's desk, even if they contain personal data. The papers must be part of an organized "filing system." Or, they must be intended to be part of such a system.
A "filing system" involves some sort of ordering of the personal data. Examples include:
- Chronological order, e.g. a sign-in sheet at a corporate lobby
- Alphabetical order, e.g. a filing cabinet containing employee records
- Categorical order, e.g. a drawer containing files separated into customer invoices, contact details, contracts, etc.
So, companies can't circumvent the GDPR by using paper records. The rules still apply to paper records.
For example, paper records:
- Must not contain any unnecessary personal data
- Must not be kept for any longer than necessary
- Must be kept securely with limited access
Individuals have some control over paper records containing their personal data. This applies in the same way as with electronic records. If you get a subject access request from a customer, you must provide with copies of both electronic and paper files containing their personal data.
And if you're sending paper records to a non-EU country by international mail, the rules about international data transfers still apply.
The "manual processing" exception is designed to offer some leniency in certain situations. Jotting down notes during a phone call or meeting might not be subject to all of the GDPR's rigorous rules.
However, the context is always key. If you're in any doubt about whether a piece of personal data might be covered by the GDPR, you should assume it will be. This exception doesn't provide an excuse to ignore that pile of old customer records in your bottom drawer.
If You're Processing Personal Data for Domestic Purposes
Unlike many data protection laws, the GDPR isn't aimed at any particular sector or type of company. It's not restricted to commercial or public administration contexts. The GDPR can apply in virtually any context, except one.
Article 2 of the GDPR states that the GDPR doesn't apply to a "purely personal or household activity."
Recital 18 of the GDPR provides some examples of personal and household activities:
- Personal correspondence
- Keeping an address book
- Social networking (as a private individual)
Again, you'll need to be very careful before deciding that your data processing falls under this exemption. The key word is "purely."
The legal case of Rynes v Office for Personal Data Protection can help us understand how strict the GDPR can be about this. The case involved Mr. Rynes, who had set up security cameras in his garden. The cameras were designed to monitor his property but also filmed part of a public area.
The Czech Data Protection Authority fined Mr. Rynes for filming members of the public without their consent. Mr. Rynes appealed, arguing that he was covered by the personal and household activities exemption.
The court decided that although the filming was for private purposes, it involved people that were not part of Mr. Rynes' private life. Therefore, Mr. Rynes was not covered by the exemption and had to comply with the GDPR.
Other Exemptions
There are some other situations in which the GDPR does not apply. These exemptions to the GDPR will vary between EU countries. These exemptions don't apply to many private sector companies.
Exemptions are generally specific to particular parts of the GDPR. For example, under an exemption, an organization might not need to disclose certain things via a Privacy Policy. Or it might not need to provide access to personal data.
Here are some examples of where GDPR exemptions can apply:
- Law enforcement - Police and secret services are exempt from the GDPR in certain contexts
- Journalism - The GDPR cannot be used to suppress the freedom of the press
- Education - Universities are not always required to provide access to students' exam papers
What You Need to Do If the GDPR Applies to You
The GDPR has a broader reach than most laws. You may have realized that your company needs to comply with the GDPR. Or you may have discovered that the GDPR applies to you in an unexpected way.
The GDPR imposes a lot of obligations. Here are some of the most basic things you can do to comply:
- Create a Privacy Policy
- Get consent for cookies
- Appoint an EU Representative
- Learn about the six principles of data processing
- Get ready to deal with data subject rights requests
You're accountable for your compliance with the GPDR. Now you're aware of the limited exceptions to the law. Start taking steps to comply wherever necessary.
Summary
We've looked at some of the areas in which the GDPR might not apply:
- If you don't operate in the EU, meaning:
- Your company doesn't offer goods and service in the EU
- Your company doesn't monitor the behavior of people in the EU
- If you're not processing personal data, meaning:
- The data doesn't relate to a living individual (either directly or indirectly)
- The data was once personal data but has been anonymized
- If you're manually processing unstructured personal data, meaning:
- The data has not been processed by automated means
- The data doesn't form part of a filing system and isn't intended to
- If you're covered by an exemption
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.