The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Does the GDPR apply to paper records?

Answer: Yes. While the drafters of the GDPR intended for it to be “technologically neutral”1 the regulation only applies in two situations: (1) where processing of personal data is conducted by “automated means,” and (2) where processing of personal data is not conducted by automated means, but the data “form[s] part of a filing system or [is] intended to for part of a filing system.”2

The first situation – i.e., “automated processing” – is typically interpreted as referring only to situations in which records are stored electronically.3 Put differently, it is difficult to think of a situation in which the processing of paper records is “automated” unless the records are in the process of being converted into a digital format.

The second situation may apply to “information kept on paper” if the paper records are kept within a “filing system.”4 The term “filing system” is defined as “any structured set of personal data which [is] accessible according to specific criteria, whether centralized, decentralized or dispersed . . . .”5 As a result, any files that “are not structured according to specific criteria” do not fall within the scope of the regulation.6

The net result is that when paper records are unorganized (e.g., loose documents on a printer, papers on a desk, etc.) they are arguably not governed by the GDPR because they are neither structured nor accessible to be easily searched. Conversely when paper records are organized within a filing system that allows a person to search for specific information or documents there is an argument that they have become “structured” and “accessible according to specific criteria” and, thus, subject to the GDPR. The following are a few examples of common situations in which paper records are arguably governed by the regulation:

  • Files placed in a filing cabinet indexed by name.7
  • Files placed in wall-mounted file hangers that are labelled and sorted by name.8
  • Expense reports that are sorted by function (g., hotel, travel, etc.) and then internally sorted by employee.9
  • Human resource records that are sorted by job title (e.g., secretary) and then alphabetic by employee.10