Since compliance with the requirements of the GDPR demands a time and cost-intensive review of the previous data protection standard from the companies concerned, every entrepreneur should ask himself whether he is at all affected by the scope of application of the GDPR.
We have compiled a short checklist for this purpose:
First, Art. 2 GDPR is important.
“This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
In plain language, the GDPR wants to protect any processing of personal data. The (factual) scope of application is to be interpreted very broadly in order to guarantee a high level of protection.
But when is data processing performed?
“Processing” includes the collection, organization, arrangement, storage, deletion or destruction of data. However, due to the very wide scope of protection of the processing, this list is not exhaustive. Accordingly, the term processing also includes the short-term use of smaller amounts of data. Starting from the legal definition of processing, manual data processing must also be classified in terms of the GDPR. However, it should be noted that manual data processing is only subject to the GDPR if two conditions are met:
1. the data concerned must be stored in a file system or should be stored there (art. 2 para. 1 GDPR.) and
2. the different data groups must be arranged according to predetermined criteria.
As an example: a law firm can be listed here which still keeps its client files completely manually and then stores them in drawers, where, for example, the criterion for sorting in is the last name. If the client files are then sorted alphabetically, they are stored in the file system in reverse order according to defined criteria and thus fall within the objective scope of the GDPR.
From a purely practical point of view, it is of course highly questionable whether such a violation will be punished at all or how such a violation is to be detected.
Personal data
As already explained, any systematic handling of data falls under the term “processing”. However, the data collected must have a personal reference. This is the case when it relates to an identified or identifiable natural person (Art. 4 point 1 GDPR). This means that the data will then fall within the scope of the regulation as soon as it is possible to identify a person on the basis of existing characteristics. In summary, this is the case as soon as the assignment of the data to one or more characteristics expresses the physical, physiological, psychological, genetic, economic, cultural or social identity of these natural persons.
An example of direct identification is the identity card, and an example of indirect identification is the IP address.
Ok, now I have such data or could collect them. How do I counter this?
The keyword here is anonymization. This is because anonymized data is information that does not permit any reference to an identified or identifiable person. Anonymization can be achieved, for example, by changing the accuracy of data. This makes the data sufficiently inaccurate or unreliable that it can no longer be assigned to a specific person. Another means is generalization. Then the characteristics of the person are changed in a corresponding reference point in such a way that they can no longer be directly or indirectly assigned to this special person.
So what should I do to avoid falling into the GDPR if possible?
Since the legislator has not yet commented on the standards he wants to see for successful anonymization, a combination of the two techniques is advisable to improve data security.
Should you not be able to fall outside the scope of the GDPR despite all the techniques, we will help you as a lawyer to comply with the general data protection regulation in a legally secure manner.