Summary Lecture 2 - Material and Personal Scope of the GDPR

Material scope of the GDPR

Article 2 (1) GDPR states that the regulation applies to the processing of personal data. Processing is
anything you can think of that one can do with personal data. Article 4 (2) provides for an extensive,
non-exhaustive list of examples.

The definition of personal data in the GDPR is not that different from the one that we currently use in
the DPD. American scholars commence the European approach to the personal data definition for its
ability to adjust to particular contexts as it is drafted to ensure legal protection and apply this in a
global context in guidance where technology is involved. He is critical of how far the definition of
personal data stretches in Europe This is so because of built in flexibilities of the definition:

I. Any information that is relating to
II. Identifiable

Neither the GDPR nor DPD do provide for guidance on how to apply these flexibilities but for the
interpretation within the context of the GDPR we will use the guidelines that are established already
and we will have to see what the differences and implications will be. Recital 26 of both the GDPR
and DPD do explain on the notion of identifiable.

The article 29 working party’s task is to ensure uniform application of data protection law across
member states. Its opinions are not binding but they have a persuasive authority, it’s a sort of
backdoor. The working party consists mainly of representatives of the national DPAs, meaning that
you can deviate from the party’s interpretations, but they might have consequences on the national
level. The party adopted an opinion where it explained the key element of how the flexibilities of the
notion of personal data should be interpreted. A certain flexibility should be built into the notion to
ensure appropriate safeguards but the scope of data protection must not be overstretched to the
point when obligations start applying, where there is no intention for them to apply. Another
reservation is that the definition should not be too restrictive to ensure effective protection.

Elements of the definition of personal data of the working party’s opinion 136:

I. Information
a. Regardless of the content. So the information doesn’t have to concern private or
family life. Any information can be personal data if all three criteria are met.
b. Regardless of the format or medium. Videos, drawings etc. Human tissue is the
source of data, not data itself.
II. Relating to a natural person (no group). Alternative criteria:
a. Content. Any information about a person.
b. Purpose. Data processed with the purpose to reveal something about a person, asses
something about a person or influence behaviour of a person. It doesn’t necessarily
have to reveal something about a person on its own. Your OV-chip card number
doesn’t say much but it can be processed with the purpose of withdrawing money
from your bank account for charging the card.
c. Result. Processing is not meant to, but results in impact on the person, then it also
relates to a person. If data is processed with the result that someone is discriminated
against, or hired or not.

In the Durant case the definition of personal data was restricted somewhat as the UK court stated
that it concerns information that affects a person’s privacy, whether it be in his personal, family life
or professional capacity.