This chapter includes four articles that deal with the fundamental principles, material, and territorial scope of the General Data Protection Regulation (GDPR). Further, this chapter includes the definitions for terms used throughout the GDPR.
Article 1 - Subject-matter and objectives
Article 1 of the GDPR outlines the core objectives of the act. It defines the purpose of the GDPR as below:
- Focus on protecting individuals: The GDPR establishes rules regarding how personal data of individuals is handled.
- Protection as a fundamental right: The regulation emphasizes that protection of personal data is a fundamental right.
- Free movement of data within the EU: The GDPR ensures that data can move freely within the European Union without restrictions linked to data protection concerns.
There are twelve recitals that provide context and rationing behind the objectives laid out in this article. For instance, Recital 3: Directive 95/46/EC Harmonisation, Recital 6: Ensuring High Levels of Data Protection Despite Increased Exchange of Data, and Recital 10: Harmonised Level of Data Protection Despite National Scope adds context to the free movement of data within the EU. These recitals elaborate on how the European Parliament and the Council aims to harmonize the protection of fundamental rights and freedom of individuals with respect to data processing activities and also ensure the free flow of personal data between member states.
Implication:
While this article contains no specific implications that organizations can apply, it does give an overview of the GDPR's position and role in ensuring data security.
Article 2 - Material scope
Article 2 of the GDPR deals with the regulation's applicability, outlining two major points—what it applies to and what it doesn't apply to. It defines that the GDPR is applicable to most cases of data processing for EU residents, both by automated and manual means.
- Automated means of data processing refers to the involvement of computers or software, like online databases or customer relationship management (CRM) systems, to process personal data.
- Manual means of data processing refers to the processing of personal data filing systems,such as paper records, or digital filing systems, such as spreadsheets.
This article also outlines some of the exceptions where the GDPR is not applicable. These include:
- Any processing activity that is not related to any business or professional purpose (e.g., for personal or household purposes) falls outside the scope of the GDPR.
- Processing personal data of authorities for law enforcement purposes is not under the purview of the GDPR.
- Some specific activities carried out by EU member states that fall outside the GDPR's scope.
Implications
Understanding the scope: This article illustrates that organizations need to be aware of the GDPR's wide reach. Even if they're not located in the EU, they must comply if they process the personal data of EU residents. For instance, if you're a SaaS CRM provider located outside of the EU, yet hold EU residents' data as a part of customer or prospect information, you're liable to comply with the GDPR.
Identifying all types of processing activities: Organizations or data protection officers (DPOs) should identify all situations where they collect, store, and use personal data of EU individuals. This includes data being stored in systems (e.g., files and databases) and manual filing systems (e.g., paper records).
Article 3 - Territorial scope
Article 3 defines where the GDPR is applied. Applicability goes beyond just organizations physically located within the EU. This article focuses on the processing of personal data and not the location where it's being processed. This means if an organization, regardless of its location, has an establishment (i.e., office, subsidiary, etc.) in the EU that processes personal data of EU residents, the GDPR applies.
This article also outlines that the GDPR applies to both data controllers (who determine the purposes and means of data processing) and data processors (who process data on behalf of controllers). So, even if an organization outsources data processing to an EU-based company, they may still be held accountable under the GDPR.
Further, this article also outlines a less common, yet important, scenario that focuses on the applicability of the GDPR to organizations that processes personal data in a place where the laws of EU member states are in effect due to international law.
Example
Cloud storage with international servers: A company based in the United States uses a cloud storage service provider with servers located in France. This cloud storage service stores personal data of EU citizens, such as customer information or employee records.
Even though the US company itself isn't physically established in the EU, the GDPR regulation still applies, as the processing of this personal data is happening on servers located in France, where EU law applies.
Implications
- Understanding international law: Since the GDPR also talks about the inclusion by public international law, organizations need to have a good grasp of international law and how it intersects with EU member state laws to determine if the GDPR applies in their specific situation. Consulting with legal counsel familiar with the GDPR can be helpful here.
- Global compliance needs: Organizations with even a small EU presence processing EU citizens' data need to comply with the GDPR. This can be complex for multinational companies, requiring a comprehensive data mapping exercise to identify all relevant data flows.
- Data transfers and third-party processors: Companies that transfer EU citizens' data to processors located in the EU should be accountable for ensuring those processors comply with the GDPR's data security and onward transfer requirements. This might involve implementing data transfer agreements with strict clauses.
- Data mapping and inventory: Organizations should create a comprehensive data map that identifies where EU citizens' data is stored, processed, and transferred. This includes pinpointing any EU-based establishments handling this data.
- Compliance program development: Developing a data protection compliance program that incorporates GDPR requirements is crucial. This program should address data subject rights, data security measures, and breach notification procedures.
Article 4 - Definitions
Article 4 provides definitions for key terms used throughout the GDPR, offering clarity and consistency in interpretation. It defines terms such as "personal data," "processing," "controller," "processor," "consent," "data breach," and many others, providing precise meanings for these crucial concepts.
These definitions serve as the foundation for understanding and applying the GDPR's provisions in practice. This is essential for ensuring that stakeholders have a common understanding of the terms and concepts used in the regulation, thus facilitating compliance and enforcement efforts.
Organizations should also update their policies, procedures, and documentation to reflect these definitions accurately.
Disclaimer: This guide has been created using information provided by official GDPR documents.
Take the lead in data protection best practices with our unified SIEM solution!