The GDPR contains three limitations with respect to personal data: applicability to living persons, the ‘household exception’, and the territorial scope. In this final chapter, we will briefly discuss these limitations.

 

1. Applicability to living persons

The GDPR applies solely to living natural persons; it does not apply to persons who have died or to data about organisations. Therefore, the GDPR does not apply to historical research, archival research, etc. involving deceased persons.

However, the GDPR does apply to historical medical data relating to heredity, for example, since these records may be able to tell us something about unique living individuals. Another example is data from a diary of a deceased person, since this information from the diary may be able to tell us something about living relatives.

2. Household exception

The GDPR has a ‘household exception’: any personal data you store and share in private is not covered by the GDPR (Article 2.2c):

This Regulation does not apply to the processing of personal data: by a natural person in the course of a purely personal or household activity.


So if you accidentally send a list of family members’ email addresses to the wrong person, this is not considered a data breach that requires notification to the Dutch DPA. Other examples of the household exception include images on a security camera at your home, a phone book with address information of family members, a post-it on a home computer with friends’ phone numbers on it, and a list of email addresses of all the football club coaches stored by you on your own computer. These types of personal data are not covered by the GDPR. However, the GDPR does apply if the football club itself stores this list of email addresses within its organisation.

See also the more detailed explanation (in Dutch only) on the website of the Dutch DPA.

3. Territorial scope

The two points mentioned above relate to the material scope as mentioned in GDPR Article 2: the data subject must be a living person and the processing of personal data must occur within the work sphere. Besides the material scope, there is also a territorial scope as defined in GDPR Article 3. This Article says that data of EU residents are protected by the GDPR, regardless of the party that carries out the processing. This means that a company from Japan that has European customers must also comply with the GDPR, as defined in GDPR Recital 23:

In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.

Furthermore, this Article states that organisations established in the EU that process personal data must comply with the GDPR, even if the processing operation takes place outside the EU. Finally, this Article states that if an organisation monitors the behaviour of EU residents where this is ‘related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union’ (GDPR Recital 24), these processing operations shall also fall under the GDPR.

This means that protection under the GDPR also extends to an EU resident who uses services like Facebook or Google and is monitored via those services, for example. That is why these organisations, which have their headquarters outside the EU, can also be issued fines. In fact, companies like Google and Facebook have already had to pay hefty fines in several EU countries following rulings by national DPAs.