Again and again we hear that the GDPR does not apply if someone processes data for private purposes. What is the truth of this? And where do the boundaries run? An exception to the scope of the GDPR.

The scope of the General Data Protection Regulation (GDPR) is very broad. But it does not actually apply to the private processing of data. More precisely, it does not apply to the processing of personal data „by natural persons for the exercise of exclusively personal or family activities.“ This is how Art. 2(2)(c) GDPR describes it in a somewhat hidden place. The idea behind the provision is that purely private activities do not normally affect the interests of other individuals.

Exceptions are to be interpreted narrowly

The GDPR allows an exception to its scope of application here. Exceptions are generally to be interpreted narrowly. Therefore, it is advisable to take a very close look at the regulation. In doing so, important aspects arise: Natural and legal persons The exception only concerns the processing of data by „natural persons“. These are all human beings. The counter term to this is „legal persons“. In concrete terms, this means that if Mr. Meier keeps a birthday calendar with his acquaintances for himself personally, the GDPR does not play a role. Because he does this as a natural person. If, on the other hand, he keeps a birthday calendar with the same content as a managing director for Meier GmbH, the situation is different. Then the GDPR applies to it.

Personal and business activities

The exception only covers „personal and family activities“. The counterpart to this is primarily „business activities“. An electronic phone book with the phone numbers of relatives and personal friends does not interest the GDPR. An electronic phone book with the phone numbers of business partners is a different story.

Treatment of mixed cases

This example leads to „mixed cases“, which are relatively common in practice. Someone has stored the phone numbers of relatives and friends in his private cell phone. In addition, the numbers of all important business partners are also stored there. There are no private connections to the business partners. In this case, the GDPR applies to the entire number directory, i.e. to all data. This is because only activities that are „exclusively“ of a personal or family nature are exempt from the GDPR. Here, however, the directory also serves business purposes.

In case of doubt: no exception possible!

Uncertainties in the delimitation are always to the detriment of the person who processes the data. In case of doubt, therefore, the GDPR applies and invoking the exception is not possible. Example: It remains unclear whether someone uses a birthday calendar as a private person or as a managing director. Then he must fully comply with the GDPR. He cannot invoke the exception to the GDPR.

Social networks without access restriction

Many people want to make their photos accessible to a wider circle of acquaintances and post them on Facebook, for example. Anyone who accesses the account can view them. This means that the photos are outside the exclusively private sphere. In such cases, the GDPR applies in full.

Genuinely private groups in social networks

Of course, purely private groups are also possible in social networks. Example: Members of a family living far away from each other set up a private group in which they exchange private pictures and private messages. Only the members have access. The GDPR does not apply to this. However, it is important that the group has a personal connection to each other.

„Number games“ do not help

On the other hand, it does not matter how many members belong to a group. Just because a group has only five or ten members, for example, does not automatically make it a private group. Conversely, in a large family, for example, 20 or 30 people may well still form a private group.

Surveillance camera in your own home

Some people leave a camera running in their home when they are out of the house. This is done, for example, by a cat lover who wants to see from a distance every now and then during the day how the queen with the newborn kittens is doing. This is clearly a case of purely private data processing, even if it is accessed remotely via a data line.

Surveillance camera in front of one’s own house

The situation is different for cameras in house driveways. The data protection authorities no longer accept this as private data processing. The reason for this is that the purpose of such surveillance is to record troublemakers in the picture. This goes beyond the internal, purely private sphere.