Authors: Vagelis Papakonstantinou and Paul de Hert

For the purposes of this Regulation:

(6) ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

1. Overview and legislative history

 1. Overview: the necessary filter to keep the GDPR scope in balance

The notion of a “filing system” is of critical importance to the GDPR architecture, because it is ultimately connected to its scope. As set in Art. 2 para. 1, in the event of processing “other than by automated means” whether personal data form part or are intended to form part of a filing system is the determinant factor on whether the GDPR applies or not (see mn. 30). Admittedly, non-automated processing is expected to be diminishing during the 2020s. The legislator’s concern back in the early 1990s, while drafting the DPD, was that vast databases still on paper at that time would be left outside data protection’s reach if only automated processing was aimed at.[1] Today this should be a concern of limited scope. Still, however, this basic idea is copied from the text of the DPD into that of the GDPR in exactly the same manner, regardless of the technological developments that took place over the past forty years.

A high risk while regulating non-automated processing is regulatory excess. The processing of personal data is an inherent human function, natural and necessary in any human society. Data protection needs to steer clear of what could be perceived as setting artificial boundaries to a natural human trait. In the same context, people use personal data on paper for the most ordinary and mundane tasks. Notwithstanding the “household” exemption (set in Art. 2 para. 2 lit. c, → Art. 2 mn. 54), data protection need not apply each time a professional notes a name and an address on a piece of paper. It is exactly at this point where the notion of the “filing system” steps in, in the GDPR architecture. It is the, necessary, filter to allow data protection regulation to focus only on the manual processing that is indeed relevant to its purposes.

Because the relevant wording between the DPD and the GDPR is identical, the legal tool of analogy is applicable while implementing the GDPR provisions. The policy option to copy the DPD wording is most likely justified, because presumably nothing has changed in the organisation of manual filing systems over the past decades, other than the fact that they are increasingly replaced by automated ones (where, of course, the GDPR applies without the need to assess whether a filing system is in place, see Art. 2 para. 1 mn. 21). At any event, repetition of the same wording warrants legal certainty, benefiting thus controllers and data subjects alike.

Automated filing systems. “Filing systems” within the GDPR context may be automated or non-automated. The fact that Art. 2 para. 1 refers only to “processing other than by automated means” does not mean that the GDPR perceives “filing systems” as purely manual (see mn. 31). In fact, Recital 67 makes explicit reference to “automated filing systems”. This Art. 4 no. 6 does not address the topic of automation at all, leaving the issue open. Existence, after all, of both manual and automated filing systems reflects reality, whereby databases can be met both on computers and on paper. Although the GDPR pays particular attention to non-automated filing systems, using them to delineate its scope, this does not exclude acknowledgement of automated filing systems. However, these receive partial attention, because their occurrence is not a condition for GDPR applicability. Their appearance in the GDPR text (only in Recital 67) is incidental.

This reveals a concrete policy option in the GDPR. By treating all automated processing as equal, the GDPR essentially applies the same rules regardless whether on single photographs saved on a digital camera or on “big data analytics” operations (see → Art. 2 mn. 27). The GDPR does not distinguish between simple automated processing and automated filing systems, for example placing higher compliance requirements on the latter. The automation (or “new technologies”, see art. 35 mn. 17) parameter is largely ignored in its text. Instead, it applies the principle of accountability, equipped with additional legal tools (e.g. DPOs, DPIAs), in order to single out the processing that is likely to present higher risks for individuals, regardless whether automated or not.

In other words, the GDPR applies a qualitative instead of a quantitative criterion. Perhaps this policy option is not deliberate, being unconsciously inherited from the DPD approach on the same matter (see, for example, its Art. 20 on prior checking). Its efficiency in practice (a metric that would necessarily relate to the actual deployment of DPIAs) remains to be seen. A quantitative criterion, whereby all “automated filing systems” would have to comply with certain legal obligations would theoretically not be without merit, at least in terms of legal certainty. However, as far as its wording is concerned, the GDPR places particular emphasis on “other than by automated means” filing systems, at the same time choosing not to pay any particular attention to their “automated” equivalents.

[…]

[1] See Simitis, ‘From the Market To the Polis: The EU Directive on the Protection of Personal Data’, Iowa Law Review 80, no. 3 (1995), 465.