When Does the GDPR Not Apply?

In short, the EU's General Data Protection Regulation (GDPR) doesn't apply if your business doesn't operate within the EU, doesn't process personal data, or if you're only processing data for domestic purposes.

In this article, we're going to look at the circ*mstances in which you might not need to obey this particular law.

There are two main reasons why you need a Privacy Policy:

✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Generate an up-to-date 2024 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.

One of our many testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."
Stephanie P. generated a Privacy Policy

1. The GDPR Doesn't Apply if Your Business Doesn't Operate in the EU
1.1. Offering Goods and Services in the EU
1.2. Monitoring Behavior of Individuals in the EU
2. The GDPR Doesn't Apply if You're Not Processing Personal Data
2.1. What is Personal Data?
2.2. Anonymous Data
3. The GDPR Doesn't Apply if You're Processing Unstructured Paper Records
3.1. Processing by Automated Means
3.2. Manual Processing
4. GDPR Doesn't Apply if You're Processing Personal Data for Domestic Purposes
5. Other Exemptions When the GDPR Does Not Apply
6. What You Need to Do if the GDPR Applies to You
7. Summary

The GDPR Doesn't Apply if Your Business Doesn't Operate in the EU

The GDPR applies to all companies in the EU. It also applies to companies who have no office or employees in the EU. But it doesn't apply to companies who don't have any connection to the EU, either in operation or clientele.

Article 3 of the GDPR states that the GDPR applies to any company, anywhere in the world, that:

Offers goods and services in the EU (whether paid or for free), or
Monitors the behavior of people in the EU

Let's see whether either of these conditions applies to your company.

Offering Goods and Services in the EU

If you don't offer goods or services in the EU, the GDPR likely doesn't apply to you.

It's relatively simple to determine whether your company offers goods and services in the EU.

Some companies feel the need to block EU users from their website. They're worried they'll be accused of "offering goods and services in the EU." This shouldn't normally be necessary. A company's website may be accessible in the EU. However, this is not enough in itself.

Recital 23 of the GDPR lists some relevant factors used to determine whether a company is "offering goods and services" in the EU:

Using a language spoken in an EU country
Offering payments in a currency used in an EU country
Mentioning EU customers or users

Intention is important. For example, let's take that first point.

Monitoring Behavior of Individuals in the EU

If you don't monitor behavior of individuals in the EU, the GDPR likely won't apply to you.

When the GDPR speaks of "monitoring people's behavior," this includes using cookies. Targeted advertising involves tracking a person's activities online, and building up a profile of their preferences. This is also known as "profiling."

It's also fairly simple to determine whether you're "monitoring the behavior" of people in the EU. However, it's possible to do this by accident.

It's easy to get caught out if your company uses tracking cookies on its website. For example, if you run Facebook retargeting ads, or your app runs Google AdMob, this qualifies as monitoring people's behavior.

If EU users are likely to be caught up in your ad campaigns, the GDPR applies to you. Your intention is not relevant in this case.

The GDPR Doesn't Apply if You're Not Processing Personal Data

If you don't process personal data at all, the GDPR will not apply to you.

The GDPR defines personal data broadly. But it's important to remember that not all data is personal data.

What is Personal Data?

Article 4 of the GDPR defines personal data as "any information relating to an identified or identifiable natural person." An "identifiable natural person" means a living individual. Personal data can relate to an individual directly or indirectly (in combination with other data).

Examples of personal data include:

First and last name
Address
Email address
ID number
Username
Online identifier eg cookie ID

This definition extends very far. For example, it even includes IP addresses.

An IP address is the string of numbers that identifies a device as it connects to the internet. Even a dynamic IP address, which changes each time a person logs on, can be personal data under the GDPR.

Think about that for a moment. How can something as obscure as a dynamic IP address be considered personal data?

The answer comes from the legal case of Breyer v Germany. The case involved a website admin who had logged the IP address of visitors to his website. The question was whether this was a set of personal data or just a list of numbers.

The IP addresses alone could not reveal who had visited the site. However, Internet Service Providers (ISPs) have additional data that can link IP addresses to individual people. Although it's unlikely that the two data sets will ever be matched up, it is possible. This is why IP addresses must be treated as personal data.

This gives you an idea of how "indirect identifiers" work. Just because you can't identify an individual via a piece of information, that doesn't mean it's not personal data.

"Processing" covers any activity that you might carry out on personal data, including sending, storing, or erasing it.

You can read more about this in our article What Activities Count as Processing Under the GDPR?

Anonymous Data

Recital 26 of the GDPR states that the GDPR doesn't apply to anonymous data. This includes data that was once personal data but has been permanently stripped of all identifying information.

But you must be careful here. The GDPR does still apply to:

The GDPR Doesn't Apply if You're Processing Unstructured Paper Records

You don't need to comply with the GDPR if you process unstructured paper records.

Recital 15 of the GDPR tells us that the GDPR is "technologically neutral." The GDPR applies if you're using a computer. And in theory, it can even apply if you're writing with crayons on the back of a napkin.

It's a little more complicated than that. According to Article 2 of the GDPR, the GDPR applies when you're processing personal data:

By "automated means," or
Manually, if the personal data is part of (or is intended to be part of) a "filing system"

Processing by Automated Means

Automated processing is what computers do. So, if you're using a computer (or other electronic device) to process personal data, you must comply with the GDPR.

To be clear, this includes the following situations:

Sending an email
Writing a document
Collecting information via a website

These are all examples of "automated means" of processing under the GDPR.

This rule also applies where you're processing personal data partly by automated means. If a computer has been used to process a set of personal data at any point during its lifespan, you must comply with the GDPR whenever you're processing that set of personal data.

Manual Processing

Processing personal data doesn't require a computer. You can do it the old-fashioned way, by using a paper and pen. This is known as "manual processing."

However, the GDPR does make a distinction here. The GDPR doesn't generally apply to hand-written scraps of paper on someone's desk, even if they contain personal data. The papers must be part of an organized "filing system." Or, they must be intended to be part of such a system.

A "filing system" involves some sort of ordering of the personal data. Examples include:

Chronological order, e.g. a sign-in sheet at a corporate lobby
Alphabetical order, e.g. a filing cabinet containing employee records
Categorical order, e.g. a drawer containing files separated into customer invoices, contact details, contracts, etc.

So, companies can't circumvent the GDPR by using paper records. The rules still apply to paper records.

For example, paper records:

Must not contain any unnecessary personal data
Must not be kept for any longer than necessary
Must be kept securely with limited access

Individuals have some control over paper records containing their personal data. This applies in the same way as with electronic records. If you get a subject access request from a customer, you must provide with copies of both electronic and paper files containing their personal data.

And if you're sending paper records to a non-EU country by international mail, the rules about international data transfers still apply.

The "manual processing" exception is designed to offer some leniency in certain situations. Jotting down notes during a phone call or meeting might not be subject to all of the GDPR's rigorous rules.

However, the context is always key. If you're in any doubt about whether a piece of personal data might be covered by the GDPR, you should assume it will be. This exception doesn't provide an excuse to ignore that pile of old customer records in your bottom drawer.

GDPR Doesn't Apply if You're Processing Personal Data for Domestic Purposes

Article 2 of the GDPR states that the GDPR doesn't apply to a "purely personal or household activity."

Recital 18 of the GDPR provides some examples of personal and household activities:

Personal correspondence
Keeping an address book
Social networking (as a private individual)

Unlike many data protection laws, the GDPR isn't aimed at any particular sector or type of company. It's not restricted to commercial or public administration contexts. The GDPR can apply in virtually any context, except one.

Again, you'll need to be very careful before deciding that your data processing falls under this exemption. The key word is "purely."

The legal case of Rynes v Office for Personal Data Protection can help us understand how strict the GDPR can be about this. The case involved Mr. Rynes, who had set up security cameras in his garden. The cameras were designed to monitor his property but also filmed part of a public area.

The Czech Data Protection Authority fined Mr. Rynes for filming members of the public without their consent. Mr. Rynes appealed, arguing that he was covered by the personal and household activities exemption.

The court decided that although the filming was for private purposes, it involved people that were not part of Mr. Rynes' private life. Therefore, Mr. Rynes was not covered by the exemption and had to comply with the GDPR.

Other Exemptions When the GDPR Does Not Apply

There are some other situations in which the GDPR does not apply. These exemptions to the GDPR will vary between EU countries. These exemptions don't apply to many private sector companies.

Exemptions are generally specific to particular parts of the GDPR. For example, under an exemption, an organization might not need to disclose certain things via a Privacy Policy. Or it might not need to provide access to personal data.

Here are some examples of where GDPR exemptions can apply:

Law enforcement - Police and secret services are exempt from the GDPR in certain contexts
Journalism - The GDPR cannot be used to suppress the freedom of the press
Education - Universities are not always required to provide access to students' exam papers

What You Need to Do if the GDPR Applies to You

The GDPR imposes a lot of obligations. Here are some of the most basic things you can do to comply:

Create a Privacy Policy
Get consent for cookies
Appoint an EU Representative
Learn about the six principles of data processing
Get ready to deal with data subject rights requests

You're accountable for your compliance with the GPDR. Now you're aware of the limited exceptions to the law. Start taking steps to comply wherever necessary.

Summary

We've looked at some of the areas in which the GDPR might not apply:

If you don't operate in the EU, meaning:
- Your company doesn't offer goods and service in the EU
- Your company doesn't monitor the behavior of people in the EU
If you're not processing personal data, meaning:
- The data doesn't relate to a living individual (either directly or indirectly)
- The data was once personal data but has been anonymized
If you're manually processing unstructured personal data, meaning:
- The data has not been processed by automated means
- The data doesn't form part of a filing system and isn't intended to
If you're covered by an exemption

When Does the GDPR Not Apply? - TermsFeed (2024)