I often get the following question from my customers.
As many organisations, they are handling lot of orders documents, coming from lot of different customers.
As such, their "core activities", as defined in the GDPR, are not about "processing personal data", but they are still processing confidential information that potentially contain personal data.
How do you handle this ?
Are they systematically subject to GDPR ?
Without knowing other details relating to the circumstances as you have described, "...processing confidential information that potentially contain personal data..." will be subjected under the GDPR obligations unless it is absolute that the data processed is unable to relate to an individual.
My view on the quick answer is if as controllers a company(or organisation) collects Personal Data, then it's up to the controller to map it's flows and see what they do with it - this postlet for ITG is a good rule of thumb I feel:
I would focus on their collection, notification and processing activities first as they probably gives the best feel of what they are doing and why. I feel they need a proper inventory of Personal Data to begin to make any calls, nd these should be under the advisement of a properly qualified privacy lawyer.
If that order data identifies (or relates to) real people in the EU, it would be difficult to escape the conclusion that GDPR applies, unless they claim one of the exceptions in Article 2: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
The wording about "core activities" comes from Article 37, which is about Data Protection Officers. Perhaps the organisation could argue that they don't need a DPO - but the organisation would still have to satisfy GDPR.
Observing the past trends, regulators and consumers will expect organizations to have a high burden under GDPR or EU Data Protection Directive to prove that the exceptions at Article 2 apply to them.
Demonstrating accountability is a new norm in data protection compliance. WP29, the impending Europe Data Protection Board (EDPB) through its proposed guidelines, has encouraged organisations to designate DPO voluntarily even though Article 37 may not apply to them. While the organisations have determined their activities may not be 'core', they are still expected to demonstrate compliance under Article 3 of the GDPR where the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU regardless of whether the processing takes place in the Union or not.
Is the organization able to demonstrate that there is no personal data? Please note that personal data under EU law is quite broad, and is broader than the scope of "personally identifiable information".
It's very unlikely that an organisation could prove that none of their order data is personal data. Even if orders are strictly B2B, the order data probably refers to an account manager, or a recipient, or the details of who signed off the requirement/spend, or something else like that.
In the 21st century it's very hard to run an IT service which tracks product or services sold to people, whilst pretending that you know nothing about those people - not even their name or address or Paypal account or their service preferences. It could still work for old-fashioned face-to-face business where you know nothing about the random person who just appeared in your shop, but in that case the IT footprint is minimal.