GDPR & EUDPR – Applicability

Exception made if you have left this planet for some years, you should have heard, at least once, about personal data protection and GDPR. However, do you know much about the EUDPR (European Union Data Protection Regulation)?

The GDPR and the EUDPR respectively are both regulations related to the protection of personal data. While they support the same data protection principles, they mainly differ in their applicability scope. The GDPR also known as the General Data Protection Regulation is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Next to that, the EUDPR is the Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

GDPR – The Regulation

The General Data Protection Regulation (GDPR) provides for more sophisticated protection measures in company systems, more nuanced data protection agreements, a more consumer-friendly approach and more transparency on companies’ personal data protection practices.

The GDPR replaced the old EU data protection regulatory framework, which was established in 1995 (and is commonly known as the “Data Protection Directive”). The Data Protection Directive has been incorporated into the domestic law of EU Member States, which has led to a problem of consistency between the data protection laws of different EU Member States. As the GDPR is a European regulation with direct legal effects in all Member States, it is not necessary to transpose it into the national law of the EU Member States in order for it to be legally binding. This therefore helps to strengthen the coherence and smooth application of regulations within the EU.

The GDPR applies in the Member States but also outside the European Union. Unlike the Data Protection Directive, the GDPR applies to all companies operating worldwide, not just those domiciled in Europe.

A company may fall within the scope of the GDPR if

• it is domiciled in the EU, or
• it is not domiciled in the EU but processes data relating to the supply of goods and services to nationals of EU Member States or to the analysis of their behavior.

Processing personal data

The processing of personal data is an extended concept within the framework of the GDPR. The GDPR regulates how companies may process the personal data of EU Member State nationals. “Personal data” and “processing” are terms frequently used in legislation, and a clear understanding of their meaning in the context of the GDPR is essential to an understanding of the scope of this Regulation:

• Personal data are information concerning an identified or identifiable individual. This is a very broad concept as it includes any information that can be used individually or in combination with other information to identify a person. Personal data does not only include the name or e-mail address of a person. It also includes other information such as financial information and, in some cases, an IP address. In addition, certain categories of personal data are subject to a higher level of protection because of their sensitive nature. These categories of data are information on an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of trade unions, genetic or biometric data, medical history, sex life or sexual orientation and criminal record.
• The processing of personal data is the main activity that triggers the obligations imposed by the GDPR or EUDPR. Processing refers to any operation or set of operations carried out on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, matching or combination, limitation, erasure or destruction. In practice, this means that any process allowing the storage or consultation of personal data is considered as processing.

Applicability scope

As clearly stated by the article 2§1 of the GDPR, the General Regulation applies to all data treatment of personal data from fully automated process to manual ones. However, this Regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In a similar way, the GDPR does not apply to the processing of personal data by the Union institutions, bodies, offices and agencies.?

As mentioned in the GDPR, in this specific case the regulation (EC)?45/2001 of the European Parliament and of the Council of 18 December2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data should apply but this regulation is no longer in force. From 11/12/2018, this last one has been repealed by the regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

Can we conclude that the EUDPR applies to the processing of personal data by all Union institutions and Bodies? In most cases, yes but there are also some exceptions here. First, only Article 3 and Chapter IX of the EUDPR shall apply to the processing of operational personal data by Union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU. This means that the EUDPR does not apply when personal data is processed in the framework of the judicial cooperation in criminal matters (Chapter 4 of Title V of Part Three TFEU) or in the framework of police cooperation (Chapter 5 of Title V of Part Three TFEU). In these cases, data processed is referred as operational personal data.?

Second, the EUDPR shall not apply to the processing of operational personal data by Europol and the European Public Prosecutor’s Office, until Regulation (EU) 2016/794 of the European Parliament and of the Council and Council Regulation (EU) 2017/1939 are adapted in accordance with Article 98 of the EUDPR. These adaptations are needed to assess the consistency with Directive (EU) 2016/680 (Law Enforcement Directive) and Chapter IX of the EUDPR but also to identify any divergences that may hamper the exchange of operational personal data between Union bodies, offices or agencies when carrying out activities in those fields and competent authorities; and identify any divergences that may create legal fragmentation of the data protection legislation in the Union. Some weeks ago, the regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amended the regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation.

Pertaining the EPPO, the Commission Delegated Regulation (EU) 2020/2153 of 14 October 2020 amended the Council Regulation (EU) 2017/1939 as regards the categories of operational personal data and the categories of data subjects whose operational personal data may be processed in the index of case files by the European Public Prosecutor’s Office.

Finally, the EUDPR refers to the GDPR 36 times in its recitals and articles to ensure the same principles of personal data protection and coherence between regulations.?In today's fast-paced environment, protecting personal data can be complex, but it is worth the investment to strengthen overall data security.