When the GDPR Article 2 talks about “processing by automated means” ~ is this all processing that occurs on a digital platform, or simply processing that does not require human intervention?
What I’m really asking is – are there any situations whereby personal data can exist on a digital device / on the internet and not fall into the scope of the GDPR? (Obviously, other than personal data being processed for personal/household purposes).
Your help is much appreciated as I’m getting my head in a spin
Assuming you meant to exclude Territorial scope considerations,
Art 2 – “This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.”
Data Processing can take many forms: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
I cannot think of any electronic device involving personal data that wouldn’t at least do one of those activities. Therefore, if it is not called out in art 2(2) (https://gdpr-info.eu/art-2-gdpr/), if it is using an electronic device, it’d apply, unless I am missing an obvious exception :).
Assuming it is also within territorial scope, I can’t think of any examples that wouldn’t fall into the scope of GDPR, but maybe there are limits to my imagination. Do you have a specific example you want to explore?