Material Scope (GDPR)

The substantive boundaries of what GDPR regulates—specifically, the processing of personal data wholly or partly by automated means, and non-automated processing of personal data in filing systems. GDPR's material scope means it covers: electronic data processing, automated decision-making, manual processing if data is in structured filing systems, and processing by both controllers and processors. GDPR doesn't apply to: purely personal or household activities, deceased individuals' data (though member states may provide protections), anonymous data, and certain law enforcement or national security processing. The material scope is broad, encompassing virtually all business processing of personal data. Understanding material scope helps determine whether GDPR applies to specific activities. If processing involves personal data and isn't explicitly excluded, GDPR likely applies. Organizations should assess whether their activities fall within GDPR's material scope, document this assessment, and ensure compliance for all activities within scope.