2. the monitoring of their behaviour (taking place within the Union) → Recital 23 GDPR: «Natural persons are tracked on the internet including potential subsequent use of personal data processing techniques, which consists of profiling of a natural person, particularly in order to take decisions concerning her or him; for analysing or predicting her or his personal preferences, behaviours and attitudes»

GDPR:

• Directly applicable in all 28 MS
• Replaces the 1995 Data Protection Directive
• Replaces the national laws transposing the 1995 Directive
• National laws applied until 25 May 2018

Scope of Application

• Art.2: Material scope of application
  • applies to the processing of personal data wholly or partly by automated means
  • applies also to the processing of data other than by automated means
    • data which forms part of a filing system
    • data intended to form part of a filing system
• Art.3: Territorial scope of application

There is a range of exceptions, the GDPR does not apply to the processing of personal data:

• in the course of an activity which falls outside the scope of Union Law
• by the MS when carrying out activities which fall within the scope of the Common Foreign and Security Policy
• by competent authorities for the purposes of the penalties, prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties
• by a natural person in the course of a purely personal or household activity (Case C-101/01, Lindqvist)

Territorial Scope of Application

1. Establishment: This Regulation applies to the processing of personal data in the context of the activities of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not
   1. a controller with establishments in more than one MS: the place of its central establishment unless the decisions on the purposes and means of the processing of personal data are taken in another establishment
   2. a processor with establishments in more than one MS: where the main processing activities take place
2. Art.3: This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
   1. the offering of goods or services (irrespective of whether a payment is required) → Recital 23 GDPR: it should be ascertained whether it is apparent that the controller or processor envisages offering services
      • User Consent: website’s notices informing about the use of cookies / tracking technologies, users can accept or decline
      • Opt-in / Opt-out: opt-in by accepting, opt-out by declining
      • Data Processing: if the user opts-in, their browsing behaviour may be tracked