# Material scope (GDPR) — legal context bundle

> Curated from overview.legal on 2026-07-14. Canonical page: https://overview.legal/topics/material-scope
> Sources are cited per item. Verify against the official texts before relying on them.

What processing the GDPR applies to — and the exclusions: purely personal or household activity, law enforcement, EU institutions (Article 2 GDPR).

## Legislation (full text of key provisions)

### Material scope

*Source: GDPR, gdpr-art-2-en, 2016-04-27 — https://overview.legal/posts/90184*

### Recital 18

*Source: GDPR, gdpr-rec-18-en, 2016-04-27 — https://overview.legal/posts/91551*

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

### Recital 16

*Source: GDPR, gdpr-rec-16-en, 2016-04-27 — https://overview.legal/posts/91547*

This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data related to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation does not apply to the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

## Case law

### Privacy International v Secretary of State

*Source: CJEU, C-623/17, 2020-10-06 — https://overview.legal/posts/51481 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0623*

General and indiscriminate transmission of traffic data to security agencies incompatible with EU law.

### Data Protection Commissioner v Facebook Ireland and Maximillian Schrems

*Source: CJEU, C-311/18, 2020-07-16 — https://overview.legal/posts/51470 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311&ref=51470*

Invalidated Privacy Shield adequacy decision and upheld validity of Standard Contractual Clauses with additional safeguards required.

### SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA

*Source: CJEU, 2019-02-14 — https://overview.legal/posts/6133 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0345&ref=6133*

Material scope: The recording of a video of police officers in a police station, while a statement is being made, and the publication of that video on a video website, on which users can send, watch and share videos, are matters which come within the scope of that directive. (¶¶ 31-32, 46-47)

### Patrick Breyer v Bundesrepublik Deutschland

*Source: CJEU, C-582/14, 2016-10-19 — https://overview.legal/posts/51479 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62014CJ0582&ref=51479*

Dynamic IP addresses can be personal data when holder can identify the person.

### RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)

*Source: CJEU, 2014-12-11 — https://overview.legal/posts/6155 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62013CJ0212&ref=6155*

Personal data: The image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned. (¶ 22)

### Google Spain SL and Google Inc. v AEPD and Mario Costeja González

*Source: CJEU, C-131/12, 2014-05-13 — https://overview.legal/posts/51472 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131&ref=51472*

Established the right to be forgotten (delisting). Search engines are data controllers.

### SERGEJS BUIVIDS v. THE AUGSTĀKĀ TIESA

*Source: CJEU, 2019-02-14 — https://overview.legal/posts/6132 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0345&ref=6132*

Interpretation: The exceptions to material scope of the Data Protection Directive (activities outside of EU law/processing operations “which concern public security, defense, State security and the activities of the State in areas of criminal law” + the household exception) must be interpreted narrowly but the derogation related to ‘journalistic activities’ must be interpreted broadly.

Processing for Journalistic Purposes: ‘Journalistic activities’ are those which have as their purpose the disc

### RYNES V. ÚŘAD PRO OCHRANU OSOBNICH ÚDAJŮ, 11.12.2014 (“RYNES”)

*Source: CJEU, 2014-12-11 — https://overview.legal/posts/6154 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62013CJ0212&ref=6154*

Household exception: The household exception must be interpreted narrowly. Video surveillance that covers, even partially, a public space cannot be regarded as a purely personal or household activity. (¶¶ 28–35)

### HvJ EU 9 januari 2025, C‑394/23 (Mousse).

*Source: CJEU, 2025-01-09 — https://overview.legal/posts/50377 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62023CJ0394*

HvJ EU 9 januari 2025, C‑394/23 (Mousse). Artikelen: 5(1)(c), 6(1), en 21 AVG Onderwerp : Beginsel van minimale gegevensverwerking Gek genoeg verwijst het HvJ EU zelf niet naar HvJ EU 1 augustus 2022, C‑184/20 (Vyriausioji tarnybinės etikos komisija), maar dat had hier ook heel logisch geweest.

### HvJ EU: Privacy Shield ongeldig verklaard (Schrems II)

*Source: Hof van Justitie EU, 2020-07-16 — https://overview.legal/posts/1 — original: https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX:62018CJ0311*

Het Hof van Justitie verklaart het Privacy Shield-akkoord ongeldig wegens onvoldoende waarborgen voor Europese burgers tegen toegang door Amerikaanse inlichtingendiensten.

### BONNIER AUDIO ABET AL. V. PERFECT COMMUNICATIONS WEDEN, 19.April.2012 (“BONNIER”)

*Source: CJEU, 2012-04-19 — https://overview.legal/posts/5969 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62010CJ0461*

Data Retention Directive (Directive 2006/24): Directive 2006/24 deals exclusively with handling and retention of data generated by electronic communication service providers for the purpose of the investigation, detection, and prosecution of serious crime and their communication to competent national authorities. A national provision transposing the EU intellectual property directive which permits an ISP in civil proceedings to be ordered to give a copyright holder information on the subscriber

### LINDQUIST, 6.11.2003 (“LINDQUIST”)

*Source: CJEU, 2003-11-06 — https://overview.legal/posts/6193 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62007CJ0557&ref=6193*

Processing for purely personal or household activity: Creating a website for a Church which includes personal information of co-workers, constitutes activities that may be mainly charitable and religious, but are not exempted from data protection law under the ‘exclusively personal or domestic’ exemption.  (¶¶ 45–47)

## Guidance

### Guidelines 3/2019 on processing of personal data through video devices

*Source: EDPB, edpb-guidelines-on-processing-of-personal-data-through-video-devices, 2025-11-21 — https://overview.legal/posts/38059 — original: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201903_video_devices.pdf*

The European Data Protection Board (EDPB) adopted Guidelines 3/2019 to provide comprehensive guidance on the processing of personal data through video devices,including CCTV and smart camera systems, under the GDPR. The guidelines address key issues such as the scope of application, the household exemption, lawfulness of processing under Article 6(1)(f) GDPR (legitimate interests), data subjects' rights, and obligations of controllers, while also clarifying the boundary with the Law Enforcement Directive (EU 2016/680). The guidelines were adopted on 29 January 2020 following public consultation and do not impose fines but serve as interpretative guidance for controllers and supervisory authorities.

### Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679

*Source: EDPB, edpb-guidelines-on-relevant-and-reasoned-objection-under-regulation-2016679, 2025-11-21 — https://overview.legal/posts/38061 — original: https://edpb.europa.eu/system/files/2021-03/edpb_guidelines_202009_rro_final_en.pdf*

The European Data Protection Board (EDPB) issued these guidelines to clarify the criteria for a "relevant and reasoned objection" by supervisory authorities within the GDPR's cooperation mechanism under Article 65. The guidelines specify that an objection must be both "relevant" (directed at the substance of the draft decision) and "reasoned" (supported by substantive arguments regarding GDPR compliance or risks to fundamental rights and the free flow of personal data within the Union). No fine amounts are involved, as this document provides interpretive guidance rather than an enforcement decision.

### Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

*Source: EDPB, edpb-guidelines-on-processing-personal-data-in-the-context-of-connected-vehicles-and-mobility-rel, 2025-11-21 — https://overview.legal/posts/38135*

The EDPB adopted Guidelines 1/2020 to provide guidance on the application of the GDPR to the processing of personal data in connected vehicles and mobility-related applications. The guidelines address key issues including data minimisation, data protection by design and by default, transparency obligations, data subjects' rights, security, third-party data sharing, and international transfers, with practical case studies covering services provided by third parties, eCall, accidentology, anti-theft measures, and rental car information. The document does not impose fines but offers recommendations to help controllers and processors in the automotive ecosystem comply with their GDPR obligations.

### Guidelines 01/2022 on data subject rights - Right of access

*Source: EDPB, edpb-guidelines-on-data-subject-rights---right-of-access, 2025-11-21 — https://overview.legal/posts/38055 — original: https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf*

The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

### Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation

*Source: EDPB, edpb-guidelines-on-certification-and-identifying-certification-criteria, 2025-11-21 — https://overview.legal/posts/38048 — original: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf*

The EDPB issued Guidelines 1/2018 to clarify the framework for data protection certification and the identification of certification criteria under Articles 42 and 43 of the GDPR. The guidelines address key concepts such as the interpretation of "certification," the roles of supervisory authorities and certification bodies, and the process for approving certification criteria. This document provides practical guidance to stakeholders on how GDPR certification mechanisms, seals, and marks should be established and operated.

### Guidelines 8/2020 on the targeting of social media users

*Source: EDPB, edpb-guidelines-on-the-targeting-of-social-media-users, 2025-11-21 — https://overview.legal/posts/38073 — original: https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_082020_on_the_targeting_of_social_media_users_en.pdf*

The EDPB adopted Guidelines 8/2020 on the targeting of social media users to clarify the roles, responsibilities, and legal obligations of the various actors involved in social media targeting, including social media providers, targeters, and users. The guidelines analyze different targeting mechanisms—based on provided, observed, and inferred data—and address controller determinations, legal bases, transparency requirements, DPIAs, and the processing of special categories of data. No fines are imposed, as this is interpretive guidance intended to assist stakeholders in achieving GDPR compliance.

### Guidelines 03/2021 on the application of Article 65(1)(a) GDPR

*Source: EDPB, edpb-guidelines-on-the-application-of-article-651a-gdpr, 2025-11-21 — https://overview.legal/posts/38137*

The European Data Protection Board (EDPB) adopted Guidelines 03/2021 to clarify the dispute resolution mechanism under Article 65(1)(a) GDPR, which governs the EDPB's authority to issue binding decisions when a Lead Supervisory Authority receives relevant and reasoned objections from Concerned Supervisory Authorities that it does not follow. The Guidelines address the procedural framework, the threshold for "relevant and reasoned" objections, the scope of the EDPB's substantive competence, and applicable procedural safeguards including the right to be heard, access to the file, and available judicial remedies.

### Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement

*Source: EDPB, edpb-guidelines-on-the-use-of-facial-recognition technology-in-the-area-of-law-enforcement, 2025-11-21 — https://overview.legal/posts/38075 — original: https://edpb.europa.eu/system/files/2023-05/edpb_guidelines_202304_frtlawenforcement_v2_en.pdf*

More  and  more  law  enforcement  authorities  (LEAs)  apply  or  intend  to  apply  facial  recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or  photographs. It may be used for various purposes, including to search for persons  in police watch lists or to monitor a person's movements in the public space. FRT is  built on the processing of biometric data , therefore, it encompasses the processing of special categories ...

## Recent developments

### EU-Hof: een belastingautoriteit die bij een marktaanbieder van  internetdiensten gegevens opvraagt moet de AVG in acht nemen

*Source: NL EU Court Expert, 2022-03-02 — https://overview.legal/posts/6309 — original: https://ecer.minbuza.nl/-/eu-hof-een-belastingautoriteit-die-bij-een-marktaanbieder-van-internetdiensten-gegevens-opvraagt-moet-de-avg-in-acht-nemen?redirect=%2Fecer%2Fnieuws%3Fq%3Dprivacy%2520OR%2520avg%26f%3D%26t%3D#entry-308*

The collection by the tax authority of a Member State of personal data concerning the advertisements for the sale of vehicles placed on the website of an economic operator falls within the material scope of the General Data Protection Regulation (AVG). Thus, that authority will also have to comply with the principles on the processing of personal data laid down in the AVG. However, a tax authority can derogate from the AVG in certain cases, even if the right to derogate is not granted by nationa

## Related topics

- **Personal Data** — https://overview.legal/topics/persoonsgegevens
  Information relating to identified or identifiable natural persons
- **Processing** — https://overview.legal/topics/verwerking
  Any operation performed on personal data
- **Law Enforcement** — https://overview.legal/topics/law-enforcement
  Processing for law enforcement purposes
- **IP Address** — https://overview.legal/topics/ip-adres
  Internet protocol addresses as personal data
- **Human Resources** — https://overview.legal/topics/human-resources
  Processing of employee and HR data
- **Data Controller** — https://overview.legal/topics/verwerkingsverantwoordelijke
  The entity that determines purposes and means of processing personal data

---
Generated by overview.legal · https://overview.legal/topics/material-scope · 2026-07-14
