AI Act Scope
The 'Subject matter' section is foundational to understanding what the AI Act covers, defines key terms, and establishes the scope of application. This concept deserves its own dedicated topic as it is distinct from general compliance requirements.
scope of AI Act AI Act definitions subject matter applicability AI system definition regulatory scope territorial scope material scope
Overview
Legal Context
The AI Act’s “subject‑matter” clause is the cornerstone that determines what falls under its ambit. It draws on the material scope of the GDPR (art‑2‑en) and the territorial reach (art‑3‑en) while also borrowing from the NIS2 framework (nis2‑art‑1‑nl/en) and the UAVG provisions (art‑2, art‑4, art‑34). The commentary on the AVG clarifies how data of a “strafrechtelijke aard” is treated, how authorities can issue warnings, and how categories such as “ras of etnische afkomst” are defined. These insights help us see that the AI Act covers not only AI systems that process personal data but also the related administrative and technical infrastructure that supports such processing.
Core Requirements
- Definition of an AI system – any automated or semi‑automated tool that processes personal data, whether it is a standalone application or part of a larger data‑handling ecosystem.
- Scope of data – includes both “geheel” and “gedeeltelijk” automated processing, as well as non‑automated entries that are later incorporated into structured datasets.
- Territorial reach – the Act applies to activities conducted within the EU, to public authorities, and to any other body that falls under the UAVG definition of a “public authority” (art‑4).
- Administrative oversight – authorities may issue a “bestuurlijke waarschuwing” (art‑58‑2‑a) to signal that the Act’s provisions are being applied, and they must respond to such warnings (art‑58‑4).
- Data retention and reporting – the Act obliges entities to retain and report on the use of AI systems, echoing the requirements in the Data Retention Directive (art‑1‑nl of the AVG).
Interpretation & Application
The AVG commentary on “betekenis” shows that data of a criminal nature is treated as a special category, which the AI Act expands to cover all AI‑driven data processing. In the BONNIER case, the court held that the directive’s retention requirements apply to AI systems that generate data for criminal investigations, illustrating how the AI Act’s subject matter can be applied in practice. The ASNEF ruling confirms that the directive’s provisions can be directly applied by national authorities, which means the AI Act can be enforced without additional national legislation. RUNDFUNK demonstrates that the same principle applies to civil proceedings, reinforcing the idea that the AI Act’s scope is both broad and flexible.
Practical Considerations
Compliance professionals must first map their AI systems to the Act’s definition, ensuring that all automated and non‑automated processes are included. They should document the data flow, retention schedules, and the roles of public authorities involved. A key challenge is aligning the AI Act’s requirements with existing GDPR and NIS2 obligations; a clear audit trail will help avoid overlap. It is also essential to monitor the evolving interpretation of “AI system” in court decisions, as new case law may refine the scope.
Connections
The AI Act’s subject‑matter clause is the bridge between AI, personal data, and processing. It informs law‑enforcement agencies on how to use AI for investigations, guides HR departments on data‑driven recruitment tools, and supports the broader data‑economy strategy. By understanding the scope, practitioners can better integrate AI solutions into their data‑management frameworks, ensuring compliance across all relevant legal domains.
Laws (8)
Case Law (9)
Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)
Google - Global De-linking
Territorial scope of EU data protection law: The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inte
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Material scope: The recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive. (¶¶ 31-32, 46-47)
SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA
Buivids
Interpretation: The exceptions to material scope of the Data Protection Directive (activities outside of EU law/processing operations “which concern public security, defense, State security and the activities of the State in areas of criminal law” + the household exception) must be interpreted narrowly but the derogation related to ‘journalistic activities’ must be interpreted broadly. Processing for Journalistic Purposes: ‘Journalistic activities’ are those which have as their purpose the disc
UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH
Wirtschaftsakademie
Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Safe harbour: US public authorities are not required to comply with safe harbor principles. Decision 2000/520 specifies that safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements, or statute, regulation or caselaw. Self-certified US organizations receiving personal data from the EU are thus bound to disregard safe harbor principles when they conflict with US legal requirements. Decision 2000/520 does not contain s
GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)
Google Spain
Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in
BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)
Bonnier
Data Retention Directive (Directive 2006/24): Directive 2006/24 deals exclusively with handling and retention of data generated by electronic communication service providers for the purpose of the investigation, detection, and prosecution of serious crime and their communication to competent national authorities. A national provision transposing the EU intellectual property directive which permits an ISP in civil proceedings to be ordered to give a copyright holder information on the subscriber
ASOCIACION NACIONAL DE ESTABLECIMIENTOS FINANCIEROS DE CREDITO (ASNEF) AND FEDERACION DE COMERCIO ELECTRONICO Y MARKETING DIRECTO (FECEMD) V. ADMINISTRACION DEL ESTADO, 24.Nov.2011 (“ASNEF”)
ASNEF
Direct applicability of Directive 95/46: Whenever the provisions of a Directive appear to be unconditional and sufficiently precise,they have direct effect if the Member State has failed to implement that Directive in domestic law by the end of the prescribed period. Article 7(f) is sufficiently precise, as it states an unconditional obligation. (¶¶ 52-55)
RECHNUNGSHOF V. OSTER REICHISCHER RUNDFUNK, 20.5.2003 (“RUNDFUNK”)
Rundfunk
Direct applicability of Directive 95/46: Wherever provisions of a directive appear to be unconditional and sufficiently precise, they may, in the absence of implementing measures adopted within the prescribed period, be relied on against any incompatible national provision, or insofar as they define rights which individuals are able to assert against the State. (¶ 98)
Guidance (53)
View all 53Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Richtsnoeren 01/2022 over de rechten van betrokkenen Recht van inzage
guidelines recht op inzage
Het recht van inzage van betrokkenen is vastgelegd in artikel 8 van het Handvest van de grondrechten van de Europese Unie. Het maakt al sinds het begin deel uit van het Europese wettelijke kader voor gegevensbescherming en wordt nu verder ontwikkeld met specifiekere, preciezere regels in artikel 15 AVG.
Versiegeschiedenis
guidelines recht op inzage
Richtsnoeren 8/2020 betreffende de targeting van gebruikers van sociale media
guidelines targeting gebruikers sociale media
Richtsnoeren 3/2018 over het territoriale toepassingsgebied van de AVG (artikel 3)
guidelines territoriaal toepassingsgebied AVG
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
GROEP GEGEVENSBESCHERMING ARTIKEL 29
guidelines transparantie
Versiegeschiedenis
guidelines uitvoeren overeenkomst
Richtsnoeren 03/2021 voor de toepassing van artikel 65, lid 1, punt a), AVG
guidelines voor de toepassing van artikel 60 AVG
Richtsnoeren 06/2020 inzake de wisselwerking tussen de tweede richtlijn betalingsdiensten en de AVG
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
Version history
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Versiegeschiedenis
Richtsnoeren 9/2020 inzake relevant en gemotiveerd bezwaar overeenkomstig Verordening 2016/679
Richtsnoeren 01/2021
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 03/2021 on the application of Article 65(1)(a) GDPR
Guidelines on the application of Article 60 GDPR
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Richtsnoeren 07/2022 voor certificering als doorgifte-instrument
guidelines certificering
Op grond van artikel 46 van de algemene verordening gegevensbescherming (AVG) moeten gegevensexporteurs passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die gegevensexporteurs overeenkomstig artikel 46 kunnen gebruiken als kader voor de doorgifte aan derde landen, onder meer door certificering in te voeren als nieuw doorgiftemechanisme (artikel 42, lid 2, en a...
Richtsnoeren 2/2023 over het technische topassingsgebied van artikel 5, lid 3, van de eprivacyrichtlijn
guidelines technische toepassingsgebied van artikel 5(3) e-privacyrichtlijn
News (9)
Jongeren denken mee over toezicht AP
Op de Europese dag van de privacy op 28 januari organiseerde de Autoriteit Persoonsgegevens (AP) een sessie met jongeren. Afgevaardigden van verschillende jongerenpartijen en -verenigingen kwamen langs bij de AP om te praten over privacy-onderwerpen die jongeren en jongvolwassenen bezighouden.
Article 41 GDPR
(a) Demonstrated independence and expertise ===== (a) Demonstrated independence and expertise ========== (a) Demonstrated independence and expertise ===== It is clear from Article 41(1) GDPR that the body must have an “''appropriate level of expertise''” in the subject matter the code of conduct aims to ensure effective compliance with. This is also a requirement of the process specified in Article 41(2)(a) GDPR, according to which the monitoring entity “''may be ac
Article 40 GDPR
(3) Controllers and Processors not Subject to the Territorial Scope of the GDPR The focus on a particular sector is supposed to allow for a cost effective way to achieve data protection compliance by taking into account all the specific characteristics of processing carried out in that sector - with particular emphasis on the needs of micro, small and medium enterprises.<ref>EDPB, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 4 June 2019 (Version
Bank must provide personal data to claimant on GDPR: Court grants cross-claim
Interlocutory judgment, right of inspection pursuant to art 15 AVG, applicability of art 843a Rv.
Greek SA fines Clearview AI for EUR 20M
A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security
Record fine for Instagram following EDPB intervention
> Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine of €405 million.
CJEU: PNR Directive Valid if Limited to the “Strictly Necessary”
> In a landmark ruling of 21 June 2022, the CJEU (Grand Chamber), upheld the EU’s regime to collect and use records of travellers, provided that it is strictly interpreted in line with the EU’s fundamental rights. In addition, indiscriminate processing of the data in cases of flights carried out only within the EU is banned unless there is a threat of terrorism. In general, the passengers’ data must also be deleted after six months at the latest.
EU-Hof: een belastingautoriteit die bij een marktaanbieder van internetdiensten gegevens opvraagt moet de AVG in acht nemen
The collection by the tax authority of a Member State of personal data concerning the advertisements for the sale of vehicles placed on the website of an economic operator falls within the material scope of the General Data Protection Regulation (AVG). Thus, that authority will also have to comply with the principles on the processing of personal data laid down in the AVG. However, a tax authority can derogate from the AVG in certain cases, even if the right to derogate is not granted by nationa