Tuesday, October 24, 2017

GDPR step-by-step - Part 1 - Material Scope, Geographical Scope and Lawfulness of Processing

This is the first post in my new series about the GDPR (General Data Protection Regulation), in which in I will highlight relevant aspects of this new regulation, specially for businesses.

The GDPR shall apply from May 2018, so it is very important that businesses are fully prepared to the new rules. This series is an attempt to help business owners to be aware of the new rules and the specific challenges that they might present in different information systems. These posts have educational purposes, they do not substitute a consultation with a lawyer. 
I hope that the content can be useful to you. All highlights and comments in yellow are mine. To read the GDPR, click here.

In this Part 1, you will find:

1- The GDPR's material scope;
2- The GDPR's geographical scope;
3- Lawfulness of processing.

[Part 2]


1- To what type of data processing is it applicable? - material scope - article 2:

The GDPR is applicable to "the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." (article 2)

both automated means and not automated means

It is NOT applicable to "the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security."

2- To which territories it applies? - geographical scope - article 3:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

if the controller is in the European Union - GDPR applies

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

both situations in which the controller is not in the European Union, nevertheless the GDPR is applied

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

3- Lawfulness of processing - article 6:

all data processing, in order to be legal, has to correspond to one of the items below

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; 

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

item "a" will be a frequent justification for business, therefore we need to know what is consent according to the GDPR. Article 4(11) explains:

"‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

indication of the data subject has to be:
- freely given
- specific
- informed
- unambiguous

it has to be delivered by
- a statement or
- a clear affirmative action

That's all for today. Do you have comments about this post? Feel free to post them below.


Luiza Jarovsky
Lawyer and PhD Fellow Researching Data Privacy
GDPR, data protection


  1. Many birds are migratory, so just because you do not see birds in what is supposed to be a good area does not mean that it is not a good spot. birding binoculars,

  2. There are various designs of binoculars that include: Galilean Binoculars, Prism Binoculars and Roof Prism Binoculars. Binoculars are the worlds most used optical instrument; and have many uses. Finding the right binoculars for you can be confusing, however don't be confused. Best binoculars for hunting

  3. How to make money from affiliate marketing ? and is it possible to earn more than 5000+ a months ? https://www.fiverr.com/share/b00vZk

  4. GDPR awareness course Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!Thanks

  5. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. GDPR course