ITをめぐる法律問題について考える

弁護士水町雅子のIT情報法ブログ

日本企業にGDPR(一般データ保護規則)が適用になる場合

日本企業にGDPR(一般データ保護規則)が適用になる場合のメモです。

まず、地域的な対象範囲(Territorial Scope)

  • EU内のコントローラー(管理者)又はプロセッサー(処理者)にはGDPRが適用される(3条1項、前文22項)
    • →例)EU現地法人、支店、営業所等を設立している場合
    • データ処理がEU内で発生するかどうかに関わらない
  • 個人データの対象者がEU内にいる場合、コントローラー(管理者)又はプロセッサー(処理者)がEU内かどうかを問わず、適用される(3条2項)
    • もっとも、以下に関するデータ処理に限る
      • EU内の者に対する商品、サービスの提供(有償無償を問わない)
      • EU内の行動のモニタリング

次にそもそもの対象範囲(Material scope)

  • 個人データの処理すべてに適用されるわけではない
    • 部分的にでも自動化手段(automated means)によって処理されるデータか、自動化手段でなくともファイリングシステムの一部かそれを意図している場合(2条1項)

Article 3 Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a)
the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b)
the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Article 2 Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a)
in the course of an activity which falls outside the scope of Union law;
(b)
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c)
by a natural person in the course of a purely personal or household activity;
(d)
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.