10
(b)
by the Member States when carrying out activities which fall within the scope of Chapter 2 of
Title V of the TEU;
(c)
by a natural person in the course of a purely personal or household activity;
(d)
by competent authorities for the purposes of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, including the
safeguarding against and the prevention of threats to public security.’
Article 4 of the GDPR provides:
‘For the purposes of this Regulation:
…
(2)
“processing” means any operation or set of operations which is performed on personal data or
on sets of personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;
…
(7)
“controller” means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of personal
data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by Union
or Member State law;
(8)
“processor”, means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller;
(9)
“recipient” means a natural or legal person, public authority, agency or another body, to which
the personal data are disclosed, whether a third party or not. However, public authorities which
may receive personal data in the framework of a particular inquiry in accordance with Union or
Member State law shall not be regarded as recipients; the processing of those data by those
public authorities shall be in compliance with the applicable data protection rules according to
the purposes of the processing;
…’
11
Article 23 of the GDPR states:
‘1.
Union or Member State law to which the data controller or processor is subject may restrict by
way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22
and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations
provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights
and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a)
national security;
(b)
defence;
(c)
public security;
(d)
the prevention, investigation, detection or prosecution of criminal offences or the execution of
criminal penalties, including the safeguarding against and the prevention of threats to public
security;
…