Page Contents

Answer

Regulation (EU) 2016/6791, the European Union’s ('EU') new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.

It doesn’t apply to the processing of personal data of deceased persons or of legal entities.

The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one's home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.

Examples

When the regulation applies

A company with an establishment in the EU provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.

When the regulation doesn’t apply

An individual uses their own private address book to invite friends via email to a party that they are organising (household exception).

References

  • Articles 1 and 2 and Recitals (1), (2), (14), (18) and(27) of the GDPR

1 Regulation (EU) 2016/679 of the European Parliament and of the Councilof 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).