GDPR : Article 2-Material Scope
Overview
The General Data Protection Regulation (GDPR) is a new EU data protection law that took effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their data and creating new rights for them.
The GDPR applies to all companies that process the personal data of EU citizens, regardless of where the company is located. If a company processes the personal data of EU citizens, it must comply with the GDPR unless it can demonstrate that it meets certain conditions.
The GDPR requires companies to get explicit consent from individuals before collecting, using or sharing their data. Businesses must also provide individuals with clear and concise information about their GDPR rights.
Companies that violate the GDPR face significant fines, including up to 4% of a company's global annual revenue or €20 million (whichever is greater)
- Under the GDPR, all data controllers must appoint a Data Protection Officer (DPO). A DPO is a person who is responsible for monitoring compliance with the GDPR and other data protection laws. The DPO is also responsible for educating data controllers and processors about their obligations under the GDPR.
- Under the GDPR, data controllers must protect the personal data they collect from intrusion, loss, or unauthorised access. Data controllers must also ensure that their data is accurate and up to date.
- Data controllers must provide data subjects access to their data and allow them to exercise their rights under the GDPR.
In addition, organisations must protect personal data from accidental or unauthorised destruction, loss, alteration, or unauthorised access. They must also ensure that data is quality controlled to protect against inaccurate or incomplete data.
The GDPR applies to all organisations with EU or national customers, regardless of size or sector. It also applies to organisations that process data on behalf of other organisations.
Pertinent Recitals
Recital – 14
Not Applicable To Legal Persons
The regulation applies to any company that processes or intends to process the personal data of individuals in the EU. This includes companies based outside the EU but offering goods or services to, or monitoring the behaviour of, individuals in the EU.
The regulation does not apply to legal persons like companies or other organisations. This means that the GDPR does not apply to companies that process the data of other companies or other organisations.
However, the GDPR applies to companies that process the data of individuals acting as company or other organisation employees. This means that the GDPR applies to companies that process the data of other companies or organisations’ employees.
Recital – 15
Technology Neutrality
Technology neutrality ensures that the GDPR does not give any particular technology an advantage. This principle is crucial because it ensures that the GDPR can be applied flexibly to all technologies, now and in the future.
The technology neutrality principle is enshrined in Article 4 of the GDPR, which states that the regulation must be “applied to any processing of personal data, irrespective of the technologies used”.
In other words, the GDPR must be applied in a technology-neutral way and does not give any advantage to one technology over another.
Recital - 16
Not Applicable To Activities Regarding National and Common Security
Under the GDPR, organisations must protect user data from accidental or unauthorised access, destruction, alteration, or unauthorised use.
They must also ensure that data is quality controlled to protect against unauthorised access, alteration, or destruction. In addition, they must ensure that individuals have the right to information about their data protection rights and access to it.
The GDPR does not apply to national and everyday security activities exempt from the regulation.
Recital - 17
Not Applicable To Activities Regarding National and Common Security
Regulation (EC) No 45/2001 has been adapted to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals about the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1–88).
Recital - 18
Not Applicable To Personal or Household Activities
Under the GDPR, all data controllers must appoint a Data Protection Officer (DPO). A DPO is a person who is responsible for ensuring that the data controller complies with the GDPR. The DPO must be a contact point for the supervisory authority and data subjects.
The GDPR does not apply to data processing activities that are carried out for personal or household activities. This exemption is narrow and only applies to activities that are carried out by natural persons in their private or household capacity.
Recital - 19
Not Applicable To Criminal Prosecution
Not applicable to criminal prosecution in GDPR. The regulation of the European Union on data protection, the General Data Protection Regulation (GDPR), will not apply to prosecute criminal offences.
This is because the regulation is based on protecting individuals' rights and freedoms about processing their personal data. The regulation does not deal with the criminal law reserved to the Member States.
However, the regulation does apply to the processing of personal data by law enforcement authorities for the prevention, investigation, detection or prosecution of criminal offences.
This is because the law enforcement authorities are processing the data for a different purpose than the criminal justice system.
Recital - 20
Respecting The Independence Of The Judiciary
The principle of judicial independence means that judges must be independent in performing their duties and impartial and objective in their decision-making. They must not be subject to undue influence, pressure, or interference from any quarter.
The principle of judicial independence is essential for the proper functioning of the EU’s justice system and ensuring that everyone who comes before the courts is treated fairly and objectively.
Recital - 21
Liability Rules Of Intermediary Service Providers Shall Remain Unaffected.
Under the GDPR, intermediary service providers shall remain liable for any data processing activities carried out on their behalf unless they prove they are not responsible for the data processing activities in question. This aligns with the existing liability rules under the EU Data Protection Directive.
Intermediary service providers include but are not limited to, online marketplaces, social networking platforms, and cloud computing service providers. These service providers play a vital role in the digital economy and are integral to the functioning of the internet.
