GDPR Fun Fact #2: A loophole?

Does our almighty GDPR ever not apply? It is accepted as an almost unquestionable truth that European personal data processed in businesses’ daily operations is subject to the GDPR. However, this is not entirely the case. Article 2 goes:

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Data collection, recording and storage performed manually, i.e. without the use of any automated means, which neither forms part, nor is intended to form part of a filing system is out of scope. Does that ever occur in 2024?

It can be debated whether the mere use of text editing software and disk storage on a personal electronic device suffices to meet the criterion of processing “by automated means”. Then there is also the very broad margin of appreciation of what will qualify as “intended to form part of a filing system”. Having the scope of such foundational legislation as the GDPR be contingent upon an intention is quite unfortunate – but let’s leave this problem at that. For today’s topic, let’s instead focus on the definition of “filing system” in Article 4 paragraph 6:

any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis

Interestingly, the sole place in the dispositive provisions of the GDPR where the term “filing system” is used is precisely in the scope definition of Article 2 paragraph 1 quoted above. There is abundant literature and some case law (e.g. CJEU, C-25/17 - Jehovan todistajat) going out of their way to shoehorn pretty much everything into the concept of “filing system” by articulating quite far fetched notions of what qualifies as – sufficiently – structured data. However, I would still argue that hand-scribbled notes on loose paper or even on a notepad might not rise to the status of a structured data set.

So what? Well, there is here a limitation to the applicability of the GDPR which can very materially restrict for instance the reach of a data subject data access request, even in cases where the information collected manually and kept unstructured is unquestionably personal data concerning the data subject, potentially even sensitive (e.g. a manager’s observations about their employees’ performance, e.g. including references to the employee's health condition), and is unquestionably used to take decisions that significantly impact them (e.g. decisions from advancement to termination). Weren’t it so, the UK legislator in Article 2(1A) of the UK GDPR wouldn’t have explicitly extended the scope of access requests addressed to public authorities to also include “manual unstructured (...) personal data”.

In large organizations with formalized HR systems, this is very much a rhetorical debate. However, in medium sized organizations, as well as – for very different reasons – in relation to certain sensitive roles, persistent reliance on manual, unstructured and unfiled datasets is perfectly conceivable. Especially given the perverse incentive created by what might be construed as a loophole in the scope of the GDPR, particularly in the face of rampant weaponisation of access requests in labour disputes.