This thesis explores the extent of the General Data Protection Regulation (GDPR) Article 2(2)(c). The thesis is based on the processing activities concerning publication of personal data on the internet and on social media such as Facebook.

The purpose of this thesis is to examine how the Danish Data Protection Agency interprets the article as well as what is understood by data processing as part of purely personal or household activity. In this connection, the thesis investigates whether the extent of the article can be de- termined as well as whether a national change of practice has happened in the light of the verdict by the European Court of Justice in case C-101/01 Lindqvist. In continuation of this, the thesis will discuss whether the Danish Data Protection Agency has legal basis to conduct a change in practice, and if this change is contrary to the purpose of the GDPR and the principles of EU law.

To determine what is meant by data processing as part of purely personal or household activity, the thesis draws on the legal dogmatic method. The purpose of the method is to describe, in- terpret and analyze present law. Furthermore, the thesis incorporates a brief legal historical perspective of the GDPR Article 2(2)(c). The legal historical perspective is required to describe past applicable law for the household exemption as means to understand the extent of the article today.

As set out in the household exemption, the GDPR does not apply to the processing of personal data carried out by a natural person in the course of purely personal or household activities. The GDPR does not elaborate further on what is encompassed by the concepts “personal” or “household”. Therefore, it is left to the Member States and legal practice to determine the extent of the article. Before the devising of the GDPR, the European Court of Justice made a verdict in the Lindqvist-case where the household exemption was considered for the first time. In this case, the basis was that the publishing of personal data on a website accessible by an indefinite amount of people was not encompassed by the household exemption. The Danish Data Protec- tion Agency went on to apply this premise from the Lindqvist-case in its own verdicts. In 2018 the new General Data Protection Regulation took effect. In the GDPR’s recital number 18, focus was placed on social network activities and online activities, thus expanding today’s use for the household exemption.

After the GDPR took effect, the Danish Data Protection Agency published three verdicts that were contrary to the premise determined by the European Court of Justice in the Lindqvist-case. In its verdicts the Danish Data Protection Agency in general considers the specific cir- cumstances surrounding the case, but it also includes various factual criteria in its assessments. For example, emphasis is placed on whether it is a subjective and value laden statement, or an ordinary and legitimate activity in relation to the platform in question. Furthermore, the Danish Data Protection Agency decides whether the processing of personal data happens in relation to business-wise or commercial intent. Lastly, the accessibility will be included in an overall as- sessment to evaluate how large a circle of people with whom the data has been shared. How- ever, this thesis reveals a national change of practice which is contrary to the purpose of the GDPR and the principles of EU law. In addition, it can be derived that the Danish Data Protec- tion Agency does not have sufficient legal basis to conduct a change in practice that is contrary to the verdict by the European Court of Justice in the Lindqvist-case.