Application of the GDPR
When does the GDPR apply?
The GDPR applies to “the processing of personal data”. In determining whether activities fall within the material scope of the GDPR, two elements must be evaluated. First, the data must be “processed”. The processing of personal data includes “...any operation or set of operations which is performed on personal data…”. Processing has a very broad definition and is likely to include many HBP operations. For instance, processing includes simply storing data. In other words, data protection law takes a much broader view of “processing” than is generally used by technologists. The second necessary element for the GDPR to be applicable is that the data must be “personal”. The intention of focusing on personal data is to protect the rights of the “data subject”. That is, the “identified or identifiable natural person” to which the data being processed and collected refers. This protection is limited to natural living persons and thus does not include legal or deceased persons or anonymised data.
What is personal data?
In determining whether data is personal, EU data protection law takes an expansive view. Pursuant to the GDPR, personal data includes “any information relating to an identified or identifiable natural person.” This includes names, identification numbers, location data IP addresses or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, if your SP has contact information including names and email addresses, that data will be considered personal and is regulated by the GDPR. In addition to human data and medical records, survey data and the results of questioners will also be considered personal data. The GDPR also applies additional protection to special categories of personal data. These data types include information regarding race, ethnic origin, political affiliation, trade union membership, genetics, biometrics used for identification, and health data, amongst others.
Although expansive, the inclusion of ‘any information’ does not mean that all data stored on cloud services are personal data. For example, commercial data or trade secrets, although possibly subject to other restrictions, are not personal data and thus fall beyond the purview or scope of the GDPR. The same is true of animal data. However, records of researchers submitting such data may be considered personal data. Therefore, SPs should be careful to conclude that they do not have personal data, even if their primary research area involves animal models, robotics, or another data type.
This page was last updated on 16/05/2018