Privacy Compliance Journey Series: Scope of the Law and Notification Requirements
We wrote about how to set up a privacy programme here and conduct a gap analysis here. It can be challenging for many organisations, especially startups and organisations that don’t have dedicated privacy functions, to comply with various privacy laws. Unless such organisations hire external help, they are on their own. We will, therefore, going to provide more information on how to assess whether a law applies to an organisation and how to deal with notification requirements.
Scope of the law
Firstly, it should be assessed whether a law applies to an organisation. Usually, this is contained at the beginning of the law in the first few articles. In some instances, this is not easy to determine as the provisions might be unclear, or not easy to spot. However, emerging laws are in most cases aligned with the GDPR and it is usually easy to assess whether a law applies to the organisation or not.
We will use the GDPR as an example. GPDR has two articles which talk about scope, Articles 2 and 3.
Article 2, talks about the Material Scope of the GDPR (below provisions are relevant to commercial organisations):
“1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
a) in the course of an activity which falls outside the scope of Union law;
b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
c) by a natural person in the course of a purely personal or household activity;
d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
In today’s world, most organisations process personal data by using automated means, by using personal computers and software, servers and algorithms.
Still, some organisations may process personal data manually, e.g., hard copies of employee records. In most of the cases, they do form part of a filing system – they are kept in an organized manner and they can be retrieved easily.
In both of these cases, such processing would fall within the scope of the GDPR.
If a paper containing personal data is just viewed by an individual, e.g., by security at a building entrance, that would most likely fall outside the scope of the GDPR. However, if the security notes who enters the building, by writing name, staff ID number and time, those documents are stored and kept for some time for security reasons, it is likely that such activity would fall within the scope of the GDPR.
Interestingly, if someone processes personal data in the course of personal or household activity, e.g., create a list of a birthday party invitees, they most probably would not have to take the GDPR into consideration.
Article 3 talks about the Territorial Scope of the GDPR:
“1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
This essentially means if an establishment (headquarter, office, branch etc.) of a controller or processor is in the European Union, it has to comply with the GDPR globally, regardless of where the processing takes place.
Alternatively, if an organisation, be that a controller or processor, is not established in the EU, but it offers goods or services to individuals in the EU (to anyone located in the EU not only to residents or citizens of the EU Member States) or monitors their behaviour, e.g., via website cookies and similar technologies, geo-location services etc. then it has to comply with the GDPR in respect of the processing of personal data of those individuals.
This might seem too complicated, but it is not hard to determine whether privacy laws apply to an organisation or not, as in most cases if an organisation processes personal data of individuals from a particular country, the chances that the law applies to it are quite high.
The same exercise should be done for laws regulating marketing activities, cookies, and sector specific laws. If the law applies to an organization, then any notification requirements should be met.
Mapping out notification requirements is a bit trickier, as it is not always straightforward to find, understand and comply with all of them. Usually, these include:
1. Registering an organisation with data protection authorities
2. Registering Data Protection Officer (DPO), or similar role, with data protection authorities
3. Reporting a data breach and notifying affected individuals of the data breach
4. Notifying data protection authorities of processing activities that carry certain risks
1. These requirements are not that common these days, but some laws do require controllers to register with the Data Protection Authorities. Usually, with the enactment of the GDPR this requirement has been made obsolete in the EU. This is the case in the most of other countries which have laws based on the GDPR. However, the United Kingdom’s Information Commissioner’s Office is requiring a fee payment in certain cases, which is equivalent of the registration requirements. French laws mandate obtaining an authorization for processing in certain cases.
2. Most of the privacy laws do contain a requirement to appoint a DPO or a similar role if certain conditions are met. In addition, details of an individual performing the role usually have to be communicated to Data Protection Authorities. For instance, Article 37 GDPR require controllers and processor to appoint a DPO where:
"1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.”
Most organisations do not process special categories of personal data or personal data related to criminal convictions on a large scale and as their core activity. In cases where they do, they must appoint a DPO.
What is more interesting for most organisations is the second requirement in the said Article. The answer is not always straightforward as it is open for interpretation. There is guidance issued by the WP29 and endorsed by the EDPB available here.
It might be challenging to determine whether an organization requires a DPO, but as a rule of thumb, if an organisation processes personal data of customers, it would most probably have to appoint a DPO – this includes processing of personal data through websites, mobile applications even by using cookies only, notify relevant Data Protection Authorities about the identity and contact details of the individual and publish the contact details in accordance with the law.
3. Data breach reporting requirements and notifying affected individuals are contained in almost every privacy law and in some cases in other laws such as civil codes, (cyber)security laws etc. Some laws prescribe cases where such notifications must be made, others leave it to organizations to determine whether the breach poses risk to individuals, and depending on the risk level, a notification to authorities and/or individuals must be made.
It is a good practice to map out these requirements in a chart and include details such as is there a notification requirement, what is the threshold, how to report a data breach to be used in cases where data breaches occur. You should be keeping in mind that there could be different notification requirements to the regulators and to affected individuals.
4. In certain cases, where processing activities would pose risks to individuals, organizations should notify authorities about such processing. For instance, the GDPR prescribes where a DPIA should be carried out and the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk, the controller shall consult the supervisory authority.
This means if your processing might be risky (e.g., use of solely automated decision making, intrusive profiling, use of new technologies etc.), look after these provisions in the law.
This is just a guidance on how to determine whether a law applies to an organization and how to deal with the notification requirements. It is always advisable to document assessments and decisions taken.
Photo by Oleg Magni from Pexels.
Ideas expressed in this article are personal views of the author and do not constitute legal advice.