EU Jurisdiction: Filing System Criterion

The Filing System Criterion is explicitly used in the EU's General Data Protection Regulation (GDPR) to define the scope of applicability. The GDPR applies not only to the automated processing of personal data but also extends to manual processing if the personal data are part of a filing system or intended to be part of such a system.

Text of Relevant Provisions

GDPR Art.2(1):

"1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

GDPR Recital 15:

"(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation."

Analysis of Provisions

• GDPR Art.2(1) clearly extends the applicability of the GDPR to both automated and manual processing, provided that the manual processing relates to personal data forming part of a "filing system". This filing system is defined broadly, meaning any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
• Recital 15 reinforces this by emphasizing the GDPR’s technologically neutral approach. The intent is to prevent the circumvention of data protection obligations by ensuring that manually processed data is protected if it is "contained or intended to be contained in a filing system." This ensures that the protection of personal data does not depend solely on the technology used but rather on the organization and accessibility of the data.
• The GDPR excludes from its scope any manual data processing of personal data that is not organized into a filing system. This exclusion is significant because it limits the regulation’s applicability to data processing activities that involve unstructured or casually held records, such as random notes or documents not systematically arranged.

Implications

• For businesses, this means that the GDPR applies to manual records just as much as to digital data, provided those records are part of or intended to be part of a filing system. Companies must therefore ensure that any manual handling of personal data, such as paper records or non-digital files, is compliant with GDPR requirements if those records are structured according to specific criteria.
• This requirement also places an obligation on organizations to assess their data handling practices, including physical records management, to determine whether their manual processing activities fall within the scope of the GDPR. Failure to recognize that manual filing systems are subject to the GDPR could lead to non-compliance and potential penalties.
• As a practical example, if a company maintains a physical filing system of employee records, with each file organized alphabetically by employee name, this system would fall under the GDPR's scope. However, a random collection of unstructured notes that are not part of any organized system would not.