UK GDPR: Scope and Definitions
Scope and Definitions [Art 1-4]
Rule: UK GDPR applies to automated and manual processing of personal data by controllers and processors established in the UK or targeting UK data subjects.
Article 1: Subject-Matter and Objectives
UK GDPR establishes rules for:
- Protection of natural persons regarding processing of personal data
- Free movement of personal data within the UK
Not about: Legal persons (companies), deceased persons, purely personal/household activities
Article 2: Material Scope
| Processing Activity | In Scope? |
|---|---|
| Automated processing | Yes |
| Manual structured filing systems | Yes |
| Purely personal/household | No (Art 2(2)(c)) |
| National security | No (Art 2(2)(a)) |
| Law enforcement (criminal offences) | No — covered by Data Protection Act 2018 Part 3 |
| EU institutions/bodies | No — covered by separate regulation |
Article 3: Territorial Scope
UK GDPR applies if:
3.1 — Establishment Criterion
Controller or processor established in the UK processing personal data, regardless of:
- Where processing takes place
- Where data subjects are located
“Establishment” means stable arrangements in the UK (office, branch, subsidiary).
3.2 — Targeting Criterion
Controller/processor not established in UK but:
- Offers goods/services to UK data subjects (even if free), OR
- Monitors behaviour of UK data subjects
Key indicators of targeting UK:
.co.ukor UK-specific domain- UK phone numbers or addresses
- GBP pricing
- UK-specific marketing
- UK language/cultural references
Exception: Data subject happens to be in UK but offering not directed at UK (e.g., French website accessed by UK tourist).
3.3 — Public International Law
Processing by UK controller not in UK where UK law applies by public international law (e.g., UK embassies).
Article 4: Definitions
Core Definitions
| Term | Definition |
|---|---|
| Personal data | Information relating to identified/identifiable natural person |
| Data subject | The natural person to whom personal data relates |
| Processing | Any operation on personal data (collection, storage, use, disclosure, erasure, etc.) |
| Controller | Determines purposes and means of processing |
| Processor | Processes on behalf of controller |
| Third party | Not controller, processor, data subject, or those under direct authority |
| Consent | Freely given, specific, informed, unambiguous indication of wishes |
Identifiable Person
Person who can be identified directly or indirectly by reference to:
- Name
- Identification number
- Location data
- Online identifier (IP address, cookie ID)
- Physical, physiological, genetic, mental, economic, cultural, or social identity factors
Standard: Low threshold — if singling out is reasonably possible, data is personal.
Special Categories of Personal Data (Art 9)
Processing generally prohibited except with explicit consent or other Art 9(2) condition:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for unique identification)
- Health data
- Sex life or sexual orientation
Filing System
Structured set of personal data accessible according to specific criteria (manual or automated).
Examples:
- ✅ Alphabetically organized paper personnel files
- ✅ Customer database with search functions
- ❌ Unsorted documents in a drawer
Extraterritorial Application
UK GDPR can apply to:
- UK companies processing abroad
- Non-UK companies targeting UK individuals
- Data about UK nationals processed anywhere (if targeting criterion met)
Practical impact: Non-UK businesses selling to UK consumers must comply.
Purely Personal or Household Exception [Art 2(2)(c)]
Not covered by UK GDPR:
- Personal address book
- Personal social media (privacy settings = friends/family only)
- Private correspondence
BUT covered:
- Business use of personal contact lists
- Public social media pages
- Marketing via personal accounts
Citation
Articles 1-4 — Subject-matter, scope, territorial scope, and definitions