The Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data, as well as protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Through the Regulation, the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
The Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, and does not apply to the processing of personal data:
GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Furthermore, the Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
It is important to note that the Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
As mentioned above, the GDPR applies to two known groups; controllers and processors:
Personal data is defined as as information about a particular living individual. This might mean anyone who has interacted, intentionally or unintentionally, with the business. This may include, but is not limited to, the following:
It does not necessarily need to be private information, as even information which is public knowledge or is about someone’s professional life can be personal data. Furthermore, it doesn’t cover truly anonymous information, but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
Personal data only includes paper records if you plan to put them on a computer, other digital devices or file them in an organised way. If you are a public authority, all paper records are technically included, but you will be exempt from most of the usual data protection rules for unfiled papers and notes.