Who does the GDPR apply to?

[ch 1: page 6]

The purpose of the GDPR is to protect the personal data of living individuals while at the same time allowing it to be used for “economic and social progress”. Article 2 specifies that it applies to:

the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system (Article 2)

So, it applies to personal data that is processed.

The GDPR operates by imposing duties on those responsible for processing data (data controllers and data processors) and giving rights to individuals whose personal data is processed (the data subjects).

The data controller is the person or organisation that determines the purposes and means of the processing of personal data. He, she or it has specific obligations such as maintaining records and is legally responsible for a breach of the data protection laws.

A data processor is a person or organisation that processes personal data on behalf of the controller. Whenever a data controller uses a processor there must be a contract in place which provides specific information. The processor has its own obligations under the GDPR.

Where two or more data controllers jointly determine the purposes and means of processing, they are called joint controllers. They can agree their respective roles, but can both be liable for data protection breaches.