The classic trap
Article 2 draws the line between what falls under the GDPR and what does not, and that is exactly where organisations get it wrong. The purely personal or household exception is interpreted very restrictively by the CNPD and the CNIL: as soon as a processing operation serves a professional or commercial purpose, or involves public dissemination, the GDPR applies in full. The most frequently sanctioned mistake is believing that a paper file or an Excel spreadsheet escapes the regulation, when any structured non automated filing system remains covered by Article 2(1).
The misunderstood boundaries of Article 2
- The GDPR also covers non automated processing: a paper folder of payslips or a structured customer directory falls under the regulation as soon as it forms a filing system organised by criteria.
- The household exception disappears once there is a professional purpose: an estate agent, a tradesperson or a freelancer managing client contacts gets no exemption.
- Home video surveillance filming the public road or a neighbour's property falls outside the household exception (Rynes case, CJEU 2014).
- Processing by competent authorities for criminal purposes falls under the Police-Justice Directive (2016/680), not the GDPR: do not confuse the two regimes.
- EU institutions are subject to Regulation 2018/1725 (which replaced 45/2001), not directly to the GDPR.
The concrete risk: an SME that wrongly qualifies a processing operation as household or out of scope deprives itself of a legal basis, a register and information duties, and exposes itself to the cap of 20 M EUR or 4% of worldwide turnover.
How Luxgap automates this risk
Our Luxgap Scope Classifier makes the qualification blind spot impossible: it determines for each detected processing operation whether it falls under the GDPR, the Police-Justice Directive, Regulation 2018/1725 or an exception, and turns the decision into opposable evidence. A specialised AI agent reads your connected sources (Odoo, Microsoft 365, SharePoint, file shares, CRM databases) and automatically maps every structured dataset, including the Excel files and shared workbooks your teams forget to declare.
- Detects non automated structured filing systems (spreadsheets, SharePoint lists, shared directories) that fall under Article 2(1) and that manual registers systematically miss.
- Classifies each processing operation under the correct legal regime using the Article 2 framework and EDPB guidelines, and flags false household claims.
- Detects video surveillance streams filming public space to exclude the household exception in line with the Rynes case law.
- Alerts in real time whenever a new structured data source appears in your connected systems, without asking the DPO to fill in a single form.
- Produces a timestamped PDF report documenting, processing by processing, the qualification adopted and its justification, opposable to the CNPD during an inspection.
Available as a complement to a Luxgap DPO mandate or as a dedicated SaaS module depending on your perimeter. Request a tailored quote and our teams will prepare a demonstration on your real data, with a free scan within 48h to measure your exposure before any engagement.