4

I would like to know if you must comply with the General Data Protection Regulation, if you've made a web application that is not subject to any business or organisation.

2) This Regulation does not apply to the processing of personal data: in the course of an activity which falls outside the scope of Union law; by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; by a natural person in the course of a purely personal or household activity; by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

From Article 2 of the GDPR (https://gdpr-info.eu)

  • Does this mean I don't need to comply with the GDPR if I'm not an organisation?
  • If I was an organisation, how simple it would be to comply with this law, to avoid civil liabilities?
feetwet
  • 21,795
  • 12
  • 80
  • 175
Steve Woods
  • 419
  • 2
  • 13

2 Answers2

4

As always, it depends.

However, it is by no means certain that any public facing hobby project, such as a web app, is exempt from having to comply with the GDPR.

Since the GDPR is only a few days old, we have of course no case law based upon the GDPR itself yet.

However, when considering this, one should take the following two facts into consideration.

1. The "personal use exeption" in the GDPR is not new.

The personal use exemption is unchanged from the article 3(2) of Directive 95/46/EC. (There as a lot of lobbying for removing "purely" from the sentence – but drafters wanted to keep it.)

2. Case-law under the previous regulation restricts the scope of the exception

The ECJ has ruled on the scope of the personal use exception in two cases:

In both these cases, the ECJ took an extremely restrictive view, and concluded that the personal use exemption did not apply to the processing done by these individuals. In C-101/01 it can be argued that the hobby project as a blogger was connected to the controllers professional activity (she was a catechist in a local church, and blogged about her work. including her colleagues). But in C-212/13, there no such connection to professional or commercial activity. Here, the controller operated a CCTV to protect his home, but set it up to also capture public space, and that was enough for the ECJ to decide that the personal use exception did not apply.

Discussion

Case-law based upon Directive 95/46/EC is in no way binding for a future court that need to rule based upon the GDPR. We need to wait for case-law decided under the GDPR to be able to have some degree of certainty about the scope of the "private use exception" under GDPR.

However, given what we know about how the ECJ has ruled in these cases in the past, I think it is hazardous to think that just because what you are doing on the web is just a "hobby project" not connected to professional or commercial activity, you are exempt from complying with the GDPR.

Conclusion

IMHO, you may be exempt, or you may not be exempt. I think it really depends on your activity in your hobby project, and to what extent this project processes the personal data of other people than yourself.

Free Radical
  • 3,212
  • 15
  • 28
1

Recital 18 gives some more details on that:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.

So what matters is whether your activity is professional/commercial or not (you do not necessarily need to be an organisation to do business). If your web applications do not sell goods/services or otherwise create business-customer relationships — feel free to ignore GDPR.

Greendrake
  • 27,460
  • 4
  • 63
  • 126
  • Oh, OK. Thank you. So, as long as I don't sell goods or become a organisation, the GDPR is useless the comply with, right? However, we all still need to make sure data is protected. :) – Steve Woods May 30 '18 at 09:31
  • @SteveWoods Watch services too (web apps selling services is more common than selling goods). In a nut shell, if you are not trying to make money with your apps and stay a person then yes GDPR is irrelevant. – Greendrake May 30 '18 at 09:40
  • What about donations for a feature in a web app? Better just use Google Adwords then. <3 thank you very much. – Steve Woods May 30 '18 at 09:40
  • @SteveWoods Re donations, that depends on whether they are considered commercial activity which is a separate question. – Greendrake May 30 '18 at 09:43
  • you've been most helpful. I might just comply with the GDPR as a guide instead of an EU legislation that will take your money away. Thank you so much. – Steve Woods May 30 '18 at 09:47
  • Possoble duplicate of this question. – Free Radical May 30 '18 at 09:49
  • 1
    I think the accepted answer is interpreting Recital 18 too broad. It is by no means certain that anything that is not professional/commercial activity is exempt. – Free Radical May 30 '18 at 10:01
  • @FreeRadical Certainly there cannot be certainty until we have some cases decided on GDPR itself and not prerequisite regulations. So far we can only speculate. – Greendrake May 30 '18 at 10:07
  • 2
    @SteveWoods, I believe that if your "hobby" Website allows personal information collected from the Website's operation to be transferred or provided to third parties for their own purposes (this would include cookies used to identify and track users across multiple domains such as Google Adwords), you certainly cannot claim that this aspect of your Website's collection and processing of personal data is a "purely personal or household activity". – Tardis May 30 '18 at 16:47
  • "a purely personal or household activity and thus with no connection to a professional or commercial activity" - this says that for something to be considered "a purely personal or household activity", it must not have any "connection to a professional or commercial activity". The inverse that you seem to assume is not automatically true. – O. R. Mapper Jun 04 '18 at 15:16
  • @O.R.Mapper I do not assume the inverse as the question (and hence the answer too) is in the context of a person and their hobby. The answer does not apply, for example, to non-commercial organisations. – Greendrake Jun 04 '18 at 22:24
  • @Greendrake: What I meant is: You appear to assume that if an activity does not have any "connection to a professional or commercial activity", it is automatically, or at least usually, a "purely personal or household activity". – O. R. Mapper Jun 05 '18 at 03:00
  • @O.R.Mapper What kind of activity can a person be engaged into that would not fall under either personal/household or professional/commercial categories? – Greendrake Jun 05 '18 at 07:17
  • @Greendrake: Arguably, any website that is not "professional/commercial", but directed at the general public (think a collection of favourite recipes, a blog about impressions from international trips, a webcomic someone draws in their spare time, ...) could count. In the most extreme interpretation, any non-commercial website that strangers can access without a password. Yes, very different opinions exist on these matters, but your advice "feel free to ignore" implies a legal safety that is not really there. – O. R. Mapper Jun 06 '18 at 20:07
  • @O.R.Mapper No legal safety is implied on this site as it clearly says that nothing here is legal advice. Everything is just opinions that may more or less appear true. GDPR matters are of course much less obvious than most of other stuff because it is a new law with no precedents decided yet. – Greendrake Jun 06 '18 at 21:27
  • @Greendrake: "No legal safety is implied on this site as it clearly says that nothing here is legal advice." - obviously, every answer here, including your advice "feel free to ignore GDPR", is "legal advice" in the meaning of "advice on a legal topic". And it is safe to say many visitors on this site take it as such, especially on this type of "what should I do in situation X" questions. It is just not "legal advice" in the sense of "I can be blamed if I was wrong". But if you feel more comfortable with this wording: In the hypothetical case that one were to follow your suggestion "feel ... – O. R. Mapper Jun 06 '18 at 22:01
  • ... free to ignore" that is merely your personal opinion without any guarantees, the outcome is not necessarily the degree of legal safety one could, in your opinion, hypothetically, achieve. Indeed, GDPR is a new law, but plenty of aspects have been around elsewhere before. In particular, the precise words that describe "purely personal or household" in the German translation of GDPR were already used in older laws referring to websites. Lastly, for practical reasons, what is decided is not as important as what could be decided. – O. R. Mapper Jun 06 '18 at 22:01