Lecture 2: Scope of application

Question 1

The GDPR is Directly Effective. What does this mean?

Answer 1

GDPR is directly effective (Because it’s a regulation rather than a directive). Therefore there is no need for transposition/translation into local national law.

Question 2

Does the GDPR allow member countries to adopt supplementary laws?

Answer 2

Yes, in certain defined areas. (E.g employment)

Question 3

Does National Law or GDPR take precedent?

Answer 3

The GDPR takes precedent over any conflicting national legislation

Question 4

What does the GDPR apply to? (Material Scope)

Answer 4

1) Processing of personal data wholly or partially by automated means
2) Processing of personal data other than by automated means, which form part of, or is intended to form part of a filing system

Question 5

What is a data subject?

Answer 5

An identified or identifiable natural person

Question 6

What does “Personal Data” entail?

Answer 6

Personal data is any information relating to an identified or identifiable natural person

Question 7

Give three examples of “Personal Data”

Answer 7

1) Name
2) Email
3) ID Number
4) Telephone number
5) Appearance
6) Address

Question 8

What are the exceptions from material scope? (I.E What does the GDPR NOT apply to?)

Answer 8

1. Activities with scope outside of EU Law
2. Member state activities falling within Chapter 2 of Title V of the TEU
3. Activities by a natural person, purely personal, or household activity
4. Activities by competent authorities for crime prevention, investigation etc.

Question 9

What is the Territorial Scope of GDPR?

Answer 9

If a controller/processor is in the Union, the GDPR is effective, regardless whether the processing takes place in the Union or not. (Controller/Processor in EU)

It also takes place if the Data Subject is in the union, even if the controller/processor is not in the union, if the activities are related to:
1) Offering of goods or services (even if payment is not required)
2) The monitoring of their behaviour
(Data Subject in EU)

Finally GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. (EU law applies by public international law)

Question 10

What is the GDPR Life Cycle?

Answer 10

1. Generation
2. Use
3. Transfer
4. Transformation
5. Storage
6. Archival
7. Destruction

Question 11

What is a DPA, where are they located, and what is their function?

Answer 11

A DPA is a Data Protection Agency and there is one in every member state.
They act as independent public authorities. Their primary function is to supervise the application of data protection law.

Question 12

Who is the EDPB? What is their function?

Answer 12

the European Data Protection Board(EDPB), is an independent European body which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities

The EDPB is composed of representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS)

Question 13

What could a sample “Responsibility Checklist” look like?

Answer 13

1) Know for which purposes you are processing personal data
2) Know which personal data is needed to fulfil the purposes and legality of processing
3) Know your processing landscape, physically and digitally
4) Adapt your processing accordingly
5) Document the above in your record of processing, cf. Art. 30
6) Be transparent and inform the data subjects.