Privacy and Data Protection based on the GDPR. Leo Besemer
Filing system
“filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
GDPR Article 4(6)
Note that a filing system is not necessarily digital. A set of paper folders ordered in some way and containing information about people is also considered a filing system.
So, if the butcher shop had used an information system, even if it were non-automated (like an alphabetically ordered set of index cards), then the butcher would need a legitimate purpose to process this information. In Part II we will see that the butcher indeed has a legitimate ground for processing personal data (preparation of an agreement to sell meat products), so even then asking for consent would not have been necessary. In the given case there is no filing system, the butcher just remembers the name and preferences, no technology is involved. Consequently, this processing is outside the scope of the GDPR.
1.3.2.1 Other exceptions
Crime prevention and prosecution by competent authorities
Instead of the GDPR, Directive 2016/680 (or rather national law based on this directive) applies to activities in relation to common foreign and security policy and to processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties.
Household activities
The GDPR also does not apply to the processing of personal data by a natural person “in the course of a purely personal or household activity”. GDPR Recital (18) details this as “activities with no connection to professional or commercial activity, such as personal correspondence and an address book that is kept for that purpose, or social networking and online activities within that context”.
Example: Keeping an address book or an ordered file with names and addresses in order to send the people in it season’s greetings, invitations to a party or any other correspondence is a purely personal matter and not subject to the requirements of the GDPR. The same goes for texts and photos posted on a social networking website.
Where a sports club has an automated member administration system, this is not “purely personal”. Therefore, the sports club needs to fulfill the requirements of the GDPR.
The fact that processing is not connected to professional or commercial activities does not necessarily mean that the derogation applies. If the scale or frequency of the processing suggest a semi-professional activity, you should be very careful, even more so when the data is potentially shared with a lot of people, as the case may be when using social media or a website. There is no case law yet under the GDPR, but the CJEU has ruled in 2003 on a very similar situation13:
Example: Bodil Lindqvist, a Swedish woman, posted text concerning her volunteer work at a Swedish church on her own website. The pages included information about Ms. Lindqvist and 18 of her fellow church volunteers. This information included some full names, telephone numbers and references to hobbies and jobs held by her colleagues. In relation to one lady, Ms. Lindqvist also revealed that the volunteer had injured her foot and was working part-time on medical grounds.
Lindqvist did not obtain her co-workers’ permission to post information about them on her website. In fact, she did not even tell them about the postings beforehand. She did, however, remove the web pages as soon as she received a request from her colleague to do so.
The CJEU ruled that the derogation for processing for purely personal or domestic activities, “must (...) be interpreted as relating only to activities which are carried out in the course of private or family life of individuals”, which is clearly not the case when posting personal data of identifiable persons on an internet page, and as such sharing it with an infinitive number of persons.
It is difficult to predict how the CJEU would rule today about a complaint regarding a person posting information on friends and colleagues using Facebook, given how relatively easy it is to accidentally share your posting with “all”, being over a billion people.
1.3.3 Geographical scope of the GDPR
1.3.3.1 Establishment criterion
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(GDPR Article 3(1)).
Just one sentence, but there is more to it than appears at first sight:
“… an establishment in the Union, …”
The regulation does not provide a definition of “establishment” for the purpose of Article 3. GDPR Recital (22), however, clarifies that an “establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.
The Court of Justice of the European Union (CJEU) has ruled in the past on exactly the same formulation in Directive 95/46/EC that the notion of establishment extends to any real and effective activity—even a minimal one—exercised through stable arrangements. In an EDPB publication (EDPB 3/2018) it is explained that the threshold for “a stable arrangement” can be quite low when the center of activities concerns the provision of online services. One single employee or agent of the non-EU entity, acting within the Union and with a sufficient degree of stability, may be enough to make it “activities of an establishment of a controller or processor” in the Union.
Example: A multi-national food company is based in the USA. Its European main office is located in Amsterdam, the Netherlands. The Amsterdam office oversees all operations of the company in Europe, including marketing and advertisement.
The Amsterdam office can be considered a stable arrangement which exercises real and effective activities in the context of the economic activity carried out by the food company. As such, the Amsterdam office should be considered an establishment in the Union, within the meaning of the GDPR.
“… in the context of the activities of an establishment” …
Whether in a given situation a processing operation should, in fact, be considered “in the context of the activities of an establishment in the Union” must be determined on a case-by-case basis. Some commercial activity led by a non-EU entity within a Member State may indeed be so far removed from the processing of personal data by this entity that the existence of the commercial activity in the EU would not be sufficient to bring that data processing within the scope of EU data protection law.
“…in the Union”
At first sight this seems to be a clear definition, but it is not. According to its subtitle the GDPR is “Text with EEA Relevance”, which means it applies to all countries within the European Economic Area (EEA)14. These are all EU Member States plus some countries which are members of the European Free Trade Association (EFTA): Iceland, Liechtenstein and Norway.
The map in Figure 1.8 only shows