EU: Prospective Filing System Inclusion

EU Jurisdiction: Prospective Filing System Inclusion

The factor of Prospective Filing System Inclusion is explicitly addressed in the General Data Protection Regulation (GDPR). This factor ensures that the GDPR applies to data processing activities performed without automated means if the personal data is intended to be part of a filing system.

Text of Relevant Provisions

GDPR Art.2(1):

"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

GDPR Recital 15:

"(15) In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation."

Analysis of Provisions

GDPR Art.2(1) clearly extends the scope of the regulation to include the processing of personal data that is not automated but is intended to be part of a filing system. This inclusion ensures that manual processing activities are covered by the GDPR as soon as there is an intention to organize the data into a structured system, preventing potential gaps in data protection.
Recital 15 emphasizes the GDPR’s aim to maintain technological neutrality in its application, meaning that the method of processing (automated or manual) does not affect the obligation to protect personal data. The key factor is whether the data is or will be part of a filing system, which includes any set of personal data that is structured according to specific criteria, allowing for easy retrieval.
The rationale behind this provision is to prevent data controllers from evading GDPR obligations by keeping personal data in unstructured or informal collections until they are later organized. By covering data intended for filing systems, the GDPR ensures that protection begins even before formal structuring occurs.

Implications

For businesses, this means that any manual processing of personal data within the EU is subject to the GDPR if the data is intended to be part of a filing system. This requires companies to apply GDPR compliance measures from the outset of data collection, even if the data is not yet organized into a formal system.
An example of this would be a company manually collecting customer data with the intention of later entering it into a CRM system. Even before this data is digitized and organized, the company must comply with GDPR requirements, as the data is intended to be part of a structured filing system.
This provision helps to close potential loopholes where organizations might otherwise delay structuring data to avoid regulatory obligations, ensuring continuous protection of personal data throughout its lifecycle.

Jurisdiction Overview

👮🏼 National Security and Law Enforcement Exemption Judicial Proceedings and Court Records Exemption 🏡 Personal and Domestic Use Exemption ™️ Exception for Information about Legal Entities 🔗 Processing in Context of Local Establishment 🎦 Monitoring Data Subjects Within Jurisdiction 🖥️ Automated Means Criterion 🏛️ Government and Public Agency Exemption 📍 Processing by Local Establishment Physical Location/Residency of Data Subject in Jurisdiction 💼 Processing by Entity Registered or Incorporated in Jurisdiction 🗃️ Filing System Criterion 💽 Prospective Filing System Inclusion 🛍️ Offering Goods and Services to Data Subjects in Jurisdiction 🕵🏿 State Secrets Exemption ⚖️ Sectoral Exceptions Regulated by Other Laws