Published On: March 13th, 2019/Categories: GDPR/3.7 min read/

GDPR Article 27 Deconstructed

Article 27.2 of the GDPR contains some pretty complex sentence structure. This is an attempt to explain it.

this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.

GDPR Article 27.2

Breaking it into Two Statements

Note the “or” at the end of the a) paragraph. So we have two statements here:

  1. this Article shall not apply to… processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing;
  2. this Article shall not apply to… a public authority or body.

The First Statement

This statement is creating a very specific exemption. I break it out into numbered sections.

  1. “This Article shall not apply to” [You don’t need an EU Representative] if…
  2. “processing which is occasional” [The first requirement of the exemption],
  3. “does not include” [The following items [4], [5] are an exemption to the exemption],
  4. “on a large scale, processing of special categories of data as referred to in Article 9(1)” or
  5. “{on a large scale} processing of personal data relating to criminal convictions and offences referred to in Article 10,”
  6. “and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing;”

Note the “and” within “and is unlikely to result” in [6], which separates [6] from the OR statement between [4] and [5], and creates one long expression of ( [2] AND ( [3][4]or[3][5] ) AND [6] ).

Reconstruction

This Article shall not apply to:
processing which is occasional AND isn’t large scale processing of special cat/criminal data AND is low risk.

A27 does not apply:
IF processing = occasional
AND NOT processing large scale special cat/criminal
AND processing is low risk

Simple Version

A27 applies unless:
a) a public authority or body, or
b) processing is occasional AND low risk AND doesn’t involve large scale special cat/criminal data

or, to put it another way:

Apart from public authorities/bodies, A27 applies if:
a) Regular processing, or
b) Processing is risky, or
c) Processing involves large scale special cat/criminal data


GDPR Article 27 Flow Chart

Geert Pieters

Share This Post!

About the Author: Carl Gottlieb
I'm the trusted privacy advisor to leading tech companies, helping them gain maximum advantage through the right privacy strategy. My consultancy company Cognition provides a range of privacy and security services including Data Protection Officers, in-depth assessments and virtual security engineers. Get in touch if you'd like to learn more.

Related articles