The first chapter of the EU GDPR covers general provisions of the General Data Protection Regulation, including subject-matter and objectives, material scope, territorial scope and definitions of GDPR terms. GDPR Chapter 1 contains articles 1, 2, 3, and 4 of the GDPR or Regulation (EU) 2016/679.
The GDPR definitions include the definition of personal data under the GDPR, the meaning of data processing in the scope of the GDPR, the GDPR definition of the controller, the processor, consent, personal data breach, the definition of various types of sensitive data such as genetic data and biometric data and the definition of techniques such as pseudonymization, topics we tackled in ‘GDPR data protection: the data subject, personal data and identifiers explained‘.
Other definitions in GDPR Chapter 1 (Article 4) of the General Data Protection Regulation text pertain to the restriction of processing, profiling, a filing system, a recipient, a third party, data concerning health, the main establishment, the representative, the supervisory authority and cross-border processing, to name a few.
Table of Contents
Article 1: Subject-matter and objectives
Article 1 of GDPR text Chapter 1 states what the General Data Protection regulation is and specifies the fundamental rights with regards to personal data protection and the free movement of personal data.
Recitals worth checking out with Article 1:
- Recital 1 (Personal data protection as a fundamental right)
- Recital 2 (Personal data processing and fundamental rights and freedoms)
- Recital 3 (Harmonisation Directive 95/46/EC)
- Recital 4 (Personal data protection and other rights – proportionality)
- Recital 5 (Cross-border flows of personal data – data exchange between Member States)
- Recital 6 (Technology, globalisation, increased personal data sharing and new protection challenges)
- Recital 7 (Trust and control over own data)
- Recital 8 (Incorporation into national law)
- Recital 9 (Rationale for a replacement of Directive 95/46/EC)
- Recital 10 (Consistent application and margins of manoeuvre for member states)
Article 2: Material scope
The second article of GDPR Chapter 1 is more important as the material scope is about the application of the GDPR regarding what it exactly covers: the processing of personal data indeed.
Article 2 lays out the foundation of the types of personal data it applies to and the types/conditions of personal data processing when it isn’t applicable. Finally, Article 2 also stipulates some consequences for and relationships with existing EU legislation. Of course we also need to know what kind of organizations that process personal data are concerned – more below in the relevant Recitals.
Recitals worth checking out in the context of the material scope:
- Recital 13 (Derogation regarding record-keeping and needs of organizations with less than 250 employees)
- Recital 14 (Application to data of natural persons only)
- Recital 15 (Technological neutrality: automated and manual processing, filing systems and structure)
- Recital 16 (GDPR application exceptions: national and foreign security)
- Recital 18 (GDPR application exceptions: purely personal or household activity)
- Recital 19 (GDPR application exceptions: criminal offences and criminal penalties)
- Recital 21 (Liability rules of intermediary service providers)
Article 3: Territorial scope
With Article 3 of GDPR Chapter 1 we are at one of the most fundamental changes of the General Data Protection Regulation and the extra-territorial applicability.
The territorial scope paragraphs in Article 3 introduce the famous rule that it doesn’t matter where personal data processing of people in the European Union happens. In other words: it applies to any organization, within the limitations mentioned in Article 2 and a whole range of other Articles detailing the territorial scope, that processes personal data of so-called data subjects who are in the EU, regardless of where that processor is, in the EU, outside of the EU, on Mars (we think ahead).
In its second paragraph, Article 3 specifies 2 processing activities this territorial scope applies to: the offering of goods and services and behavioral monitoring.
Relevant Recitals for the territorial scope and application
- Recital 22 (Territorial application: processing by establishment independent of place of processing)
- Recital 23 (Controller or a processor offering goods or services not established in the Union)
- Recital 24 (Monitoring behaviour by controller or processor not established in the Union)
- Recital 25 (EU Member State diplomatic mission or consular post)
Article 4: Definitions
Last but not least, the introduction of the GDPR which Chapter 1 in a way is (leaving aside the fact that there are 173 Recitals before Chapter 1 which are essential to understand the scope and details of the GDPR, explaining why we point you to some of them); offers a range of definitions in Article 4.
These definitions concern terms that are used throughout the rest of the Regulation. A list of the defined terms in Article 4: personal data, processing, restriction of processing, profiling, pseudonymisation, filing system, controller, processor, recipient, third party, consent, personal data breach, genetic data, biometric data, data concerning health, main establishment, representative, enterprise, group of undertakings, binding corporate rules, supervisory authority, supervisory authority concerned, cross-border processing, relevant and reasoned objection, information society service and international organisation.
Of course defining alone isn’t enough but as definitions matter do check out Article 4. There are several Articles in the next Chapters of the GDPR, starting with Chapter 2. Moreover, as Article 4 defines quite some terms, there are also quite some Recitals associated with it.
So, also take a look at some of the earlier mentioned Recitals and at:
- Recital 26 (Identified and identifiable natural person, pseudonymisation, anonymous information)
- Recital 28 (Application of pseudonymisation to personal data under the GDPR)
- Recital 29 (Pseudonymisation within the same controller)
- Recital 30 (Online identifiers and combination of online and unique identifiers)
- Recital 31 (Personal data processing by public authorities in accordance with legal obligations)
- Recital 34 (Genetic data as personal data under the GDPR)
- Recital 35 (Personal data and health data under the GDPR)
Top image: Shutterstock – Copyright: Carlos Amarillo. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.