📜

GDPR Scope and Principles

Jun 16, 2025

Overview

This lecture explains the territorial and material scope of the General Data Protection Regulation (GDPR), covering its principles, lawful processing criteria, and special categories of data.

Territorial Scope of GDPR

  • Article 3 states GDPR applies to any entity processing personal data if established in the EU, regardless of processing location.
  • "Establishment" means any stable presence or arrangement enabling consistent economic activities in the EU.
  • GDPR applies to controllers or processors with an EU establishment, even if processing occurs outside the EU.
  • Non-EU entities must comply with GDPR if they offer goods or services to EU residents or monitor their behavior.
  • Monitoring includes tracking via cookies, analytics, or other technologies.
  • Organizations outside the EU must comply if processing data related to EU residents through specified activities.
  • Data transfers require mechanisms like standard contractual clauses or binding corporate rules.

Material Scope of GDPR

  • GDPR covers processing of personal data by automated means or in manual filing systems.
  • Exemptions include activities outside Union law, household activities, and law enforcement or national security tasks.

Data Processing Principles

  • Processing must be lawful, fair, and transparent to data subjects.
  • Data must be collected for specific, explicit, and legitimate purposes (purpose limitation).
  • Only adequate, relevant, and necessary data should be collected (data minimization).
  • Data must be accurate and kept up-to-date; inaccuracies must be corrected or erased.
  • Data should be retained only as long as necessary; retention policies are required.
  • Security measures are needed to ensure integrity and confidentiality of data.
  • Controllers must demonstrate compliance and maintain documentation (accountability).

Lawful Processing Criteria

  • Consent must be freely given, specific, informed, unambiguous, and withdrawable at any time.
  • Processing is lawful if required for contractual necessity or pre-contractual steps at the data subject's request.
  • Legal obligation, vital interests, public interest, or official authority can justify processing.
  • Legitimate interests may justify processing if not overridden by data subject rights and freedoms.

Special Categories of Processing

  • Processing of sensitive data (e.g., health, religion, racial data) is generally prohibited unless specific exceptions apply.

Key Terms & Definitions

  • GDPR — General Data Protection Regulation, EU’s main data protection law.
  • Controller — Entity determining purposes and means of processing personal data.
  • Processor — Entity processing data on behalf of a controller.
  • Personal Data — Any information relating to an identified or identifiable person.
  • Establishment — Stable presence facilitating consistent activities in the EU.
  • Data Minimization — Collecting only data necessary for specified purposes.
  • Legitimate Interests — Legal basis for processing that balances controller needs against data subject rights.

Action Items / Next Steps

  • Review Article 3 and related GDPR provisions on scope.
  • Study the seven data processing principles and six lawful bases for processing.
  • Prepare for follow-up discussion on exceptions for special categories of data.

Full transcript