Is there a scope in the EC

EU General Data Protection Regulation (GDPR): Material and spatial scope

Applicability of the GDPR

Material scope of the GDPR and the Austrian Data Protection Act

The GDPR regulates the protection of natural persons when processing personal data.

It applies to

  • the fully or partially automated processing of personal data and

  • the non-automated processing of personal data that is or is to be stored in a file system.

The technology used is not essential. However, manual files that are not subject to any order are not recorded.

Paper files that are not classified according to certain criteria are not subject to the regulation.
If natural persons process personal data exclusively for the exercise of personal and family activities, the GDPR does not apply (example: private individuals use social networks).

In contrast, the GDPR applies to providers of instruments for processing data for personal or family activities (e.g. operators of social networks).

The DSG makes it clear that both the provisions of the DSGVO and the provisions of the newly regulated area of ​​legal consequences in the DSG only apply to the processing of data natural persons apply (this applies in particular to the criminal regime).

Spatial scope of the GDPR

  • Offices in the EU 

The GDPR applies to the processing of personal data for activities of a branch in the Union. It does not matter whether it is the branch of a controller or a processor. It is also applicable if the processing of the data for the branch does not take place in the EU.

The customer data of an Austrian trading company is stored by the parent company in the USA.
  • Branches outside the EU ("market location principle") 

The processing of personal data of persons who are located in the EU also falls under the GDPR

  • offer them goods or services, regardless of whether the person has to make a payment (example: a US company offers books in Austria via the Internet).
  • Observe the behavior of people in the EU (example: a Canadian company uses an analysis tool to monitor the purchasing behavior of people in Austria).
The company that carries out this data processing does not have to have a branch in the EU. Nevertheless, the GDPR must be observed!
Note: The regulation in the DSG (§ 3) regarding the spatial area of ​​application expired at the end of December 31, 2019. The legislator sees the provisions of the GDPR on the spatial scope as sufficient.

Relevant articles of the GDPR: Art 2, Art 3
Relevant recitals: 14 ff
Relevant provisions of the DSG: §§ 3, 4