When you have to apply GDPR?

If data coming to your company are personal data, and what you do with them is processing, be aware that the President of the Personal Data Protection Office may get interested in you. In most of such cases the famous GDPR[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) will be applicable. In most, but not all. Therefore it is worthy to analyze the scope of application of this regulation.

Art. 2 sec. 1 and 2 of GDPR is key in the above aspect:

  1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
  2. This Regulation does not apply to the processing of personal data:
    1. in the course of an activity which falls outside the scope of Union law;
    2. by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
    3. by a natural person in the course of a purely personal or household activity;
    4. by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The above provisions first tell when GDPR applies (rule) and then describe four situations when GDPR doesn’t apply (exceptions).

When does GDPR apply?

GDPR shall be applied in all cases of automated personal data processing. Although in GDPR there is no definition of automated processing, it is not hard to identify situations of such kind of processing – any operations on personal data without participation of human (even partly). Every entrepreneur should assume that if personal data are introduced into it system (e.g. are given by users on the website or collected on paper and subsequently introduced into the computer) it constitutes automated processing to which GDPR applies in full.

However it is not all. Not always personal data processing in not automated way is excluded from the scope of GDPR. It is also important whether processed personal data are part of a filing system or will be included into the filing system in the future.

Contrary to “automated processing” GDPR contains definition of “filing system”. Pursuant to art. 4 p. 6 of GDPR, a “filing system” means “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis”. In order to assess whether you have to do with a filing system, three elements or the above definition are of the key value:

  1. set of personal data;
  2. structurization;
  3. accessibility according to determined criteria.

In order to have a filing system all three perquisites have to met.

The term “set of personal data” suggests that more than one information should be in in the filing system. However, it cannot be confused with number of persons which data concern. Even if the controller possesses data concerning only one person, but such data contain more than one information, they constitute set of personal data.

It seems that “structurization” and “accessibility” should be understood sorting and filtering personal data contained in the filing system (e.g. by first letter of surname). Although, theoretically it is possible to differentiate structurization and accessibility according to specific criteria of personal data themselves and carriers on which personal data has been saved (e.g. forms filled in by customers sorted by the date of filling in), however I do not advise doing so. For safety it is better to assume that in every case you deal with a filing system of personal data structured and accessible according to specific criteria – and therefore with the set of personal data to which the provisions of GDPR shall be applied.

It seems that use of personal data within some longer texts – e.g. book, press article or even contract, should not be considered to be a filing system. Such approach was confirmed by the General Inspector of Personal Data Protection, before GDPR came into force, stating on his website, that “press publications and books, containing personal data in not structured form do not constitute personal data processing in filing system and therefore they are not subject to the Act on Personal Data Protection” (https://archiwum.giodo.gov.pl/320/id_art/978/j/pl). Previous version of the Act on Personal Data Protection, with respect to the scope of application, had very similar construction and that guidelines may be considered to relevant in the current state of law. Nevertheless, you should approach this issue very carefully – it is enough that the text containing personal data is saved on computer or sent via e-mail and GDPR applies on the basis of the other premise – processing by automated means.

Even if data are not included into the filing system, not necessarily it excludes GDPR application. The part of art. 2 sec. 1 of GDPR stipulating about processing of data intended to form part of a filing system, is very important. If, due to some reasons, collected data are not included into the filing system but they were meant to be included into it, GDPR shall apply in such situation. It was confirmed by the Supreme Court in the decision of 11/12/2000 (files no. KKN 438/00) issued in pre-GDPR times (but – as I mentioned above – in this scope similarities between GDPR and the Act on Personal Data Protection that time in force, are very high). In that decision the Supreme Court ruled that “personal data are protected according to the act on personal data protection since it is possible to include them into a filing system, regardless whether finally they were included into it” and also that “a person whose personal data are collected and therefore processed, cannot be deprived of the protection foreseen in the Act on Personal Data Protection, only because the data were not included into the filing system”. The case was about criminal liability of the personal data controller of persons taking part in the lottery. The defendant defended himself claiming that the way of storing personal data did not allow to considered them to be processed in filing system. The court applied wide interpretation of what should be understood as part of a filing system and did not agree with the defendant’s argument. Constantly I recommend to all controllers similar, careful, attitude – in case of personal data it is always better to do too much than too few.

And when not?

In art. 2 sec. 2 of GDPR there are indicated 4 situations in which GDPR does not apply even if personal data are processed by automated means or within filing system. Not all is in that scope completely clear (e.g. frames of activity not covered by the scope of European Union’s law), but there is no sense to concentrate on it. These are specific cases mostly concerning public authorities. Entrepreneurs operating on the territory of Poland (or of the European Union), almost for sure are not entitled to benefit from these exceptions.

Short explanation requires only p. c concerning processing of personal data by a natural person within activities of strictly personal character. In order to benefit from that exemption, two condition must be met. Firstly, personal data must be processed by natural person. That exception does not concern legal persons and other entities. Secondly, personal data must be processed only for personal purposes. What should be meant under that terms? It is not possible to give one universal definition – each case should be assessed individually. Starting point of such evaluation should be always determination whether processing is in any way connected with any financial profits (in particular with professional activity). If yes, the premise of personal purpose is not be fulfilled. Data of friends and family in phone can be given as an example of processing within activities of personal character.

Two very important questions

From the above analysis it follows that every entrepreneur should ask himself two very important questions:

  1. Whether personal data in his company are processed by automated means?
  2. Whether personal data processed in his company constitute or may constitute a part of a filing system.

Positive answer to any of the above questions makes an entrepreneur the data controlled in the meaning of GDPR and obliged to follow all the rules determined therein.

In most of the cases GDPR applies. It is hard to imagine situation in which an entrepreneur does not need to apply GDPR to his actions in connection with personal data. However, I think that such situations are possible – at least in theory. As an example I can give finding a telephone number to a representative of some company in the internet and calling that person from a land phone. If it is done by human and not by some script, it surely does not constitute automated processing. I did not write that the call is made by land phone, without any reason. In cell phones (and sometimes in land phones as well) there is list of last calls and numbers included in it may be considered to be a filing system.

Przypisy

Przypisy
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Tomasz Korolko

Partner

Related Posts

1 May 2023

Entrusting processing of personal data

Quite often it happens that an entrepreneur performing operations on personal data does not become their controller. Despite the fact that it processes data, someone else is their controller.

Read More
31 March 2023

Data protection officer

GDPR provides for the function of a data protection officer, who should be appointed by the controller in certain situations. I explain when it is mandatory and who and how to appoint to this position, as well as what are his tasks.

Read More
Back To Top