Yes if you process Personal Data, No if not
The Scope of GDPR is plain and simple any processing of personal data. It does not matter if it is in the cloud, on your home laptop or what tools you use for it, as long as it is either automated or partially automated and creates any sort of filing system (read: Database of any sort). The exceptions are pretty much for the state, and private people managing their own private correspondence.
If you do something with the data, then yes, you need to work with GDPR and have a privacy policy. If you don't process the data, then you don't process the data.
Let's make an example:
- User chooses the language preference. This can be done multiple ways without processing data on your end:
- Choosing the language puts you in the matching language folder of the webpage and all pages are subpage of one language, e.g. there's a German
\de\index.html, French \fr\index.html and an English \en\index.html - your webpage might even look different for different languages...
- User gets all language packages at once, and your page uses... javascript to only display the part that matches the language choice in the cookie.
- Choosing a language sets a cookie, and whenever the user opens a page, the page asks for the cookie, and processes on the server side what packages are sent to build the page. Of course, this minimizes traffic and data duplication by having to have all files (esp. pictures) in each language's directory, but now you process data.
Now, the question is, is that Personal Data? That depends on the data you retain. Just language preference and nothing more is very vast. There are about 130 million people who speak German as their first language, 444 consider French as their native language, and about 370 do so with English. Without other data, this does not result in an identifiable person. However, the IP address by definition is personal data, as it is unique.
Citations
These parts of GDPR are relevant:
Art. 1 GDPR
- This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
- This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Art. 2 GDPR
- This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
- This Regulation does not apply to the processing of personal data:
- in the course of an activity which falls outside the scope of Union law;
- by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- by a natural person in the course of a purely personal or household activity;
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Art.4 GDPR
For the purposes of this Regulation:
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
