What data falls under the scope of  GDPR?

GDPR applies to all personal data which is wholly or partly automated. This means that all information held on a computer or other electronic means will be covered. This includes data that will be processed by automated means. It also applies to personal data that forms part of a filing system or intends to form part of a filing system. This includes paper or other manual records. 

What paper or manual records are subject to GDPR requirements?

GDPR will apply to documents in a filing system that is structured in a way to allow access to personal data, whether easily or not. If a filing system appears unorganised but a member of staff can locate a document within it, by reference to an internal system, then this data will come under the scope of GDPR, even though at first glance the information may not appear to be in a structured filing system. 

What is personal data?

Any information that relates to an identified or identifiable  natural person. This means that data belonging to a deceased person or corporate entity is not personal data. However, the data of a deceased person may be the personal data of the next of kin of the deceased person. Similarly, information about people in a corporate entity will be personal data. 


An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as, name, number, location data, online identifier or one or more factors specific to the physical , physiological, genetic, mental, economic, cultural or social identity of the natural person.  The person must be capable of being identified from the data in question. This will depend on the type of processing by the organisation. 

When considering if the person is identifiable, the organisation must take into account all of the information under its control.  If personal data is being published, a controller must consider the information that is already in the public domain, which may identify the data subject. 

Subject Access Request

Where personal data is being processed by a controller, a relevant individual is entitled to:

  • receive confirmation that his or her personal data is being processed
  • a copy of all of the data held.
Subject Access Request

The individual can also request, among other things:

  • the purposes for which the data is being processed;
  • a description of the recipients of the data;
  • the storage period of the data;
  • the source of the data;
  • the logic behind automatic decisions make about the person;
  • details about the transfer of data outside the country. 

Contact us if you need further information on GDPR