Further Reading: Scope of GDPR

It relates to:

  • Processing of personal data of a living, natural person present within the EU/EEA, by those present in the EU/EEA.
  • The identified living natural person/individual concerned is often referred to as a Data Subject (section 3(3) of the Data
  • Protection Act 2018 (DPA 2018))
  • Processing of personal data of individuals present in the EU, by those not in the EU, provided those processing activities
  • relate to the offering of goods or services, or the monitoring of the behaviour of individuals within the EU/EEA
  • Processing for purely personal or a household activity does not fall within GDPR

It applies to:

  • All filing systems, or intended filing systems, both electronic and manual
  • All types of processing of personal data, and includes processing by wholly or partly by automated means.
  • It does not apply to processing of personal data by competent authorities for the purposes the prevention, investigation, detection or prosecution of criminal offences and threats to public security. This is dealt with in the Law Enforcement Directive as transposed into Part 3 of the Data Protection Act 2018.

It protects:

  • Fundamental rights and freedoms of individuals as they relate to data privacy
  • Free movement of personal data throughout the EU/EEA
  • Transfers of personal data out of the EU/EEA

It promotes a harmonised approach to Data Protection across the EU/EEA and provides for a ‘one-stop-shop’ approach in that, generally speaking, Data Controllers involved in cross-border personal data processing will only have to deal with one designated supervisory authority