The Territorial Scope Of The GDPR

Published date03 March 2021
Subject MatterPrivacy, Data Protection
Law FirmZacco
AuthorPeter Friis

The territorial scope of the General Data Protection Regulations (the 'GDPR' or the 'regulation') is determined within Article 3, adopting two main criteria for this purpose; 'establishment' and 'targeting'. Where one of these two criteria is met, all relevant provisions of the GDPR will apply to the relevant processing of personal data performed by the controller or processor concerned.

Controllers or processors established in the EU

It probably comes as no surprise that the GDPR applies to organisations which are established within the EU, if personal data is processed 'in the context of the activities' of such an establishment. The fact that this applies regardless of whether the actual processing of the data takes place in the EU or not might, however, be less obvious. According to recital 22, an establishment implies the effective and real exercise of activities - even a minimal one - through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. In some circumstances, the presence of a single employee or agent of a non-EU entity within the Union may be sufficient to constitute a stable arrangement. For example, organisations with EU sales offices who are either selling to or using advertising and marketing that is targeted to EU residents will likely be subject to the regulation.

Organisations situated outside the EU but targeting or monitoring EU data subjects

The GDPR 'applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.' According to the European Data Protection Board's guidelines 3/2018 on the territorial scope of the GDPR (EDPB guidelines), p.17f, the following facts are likely to be considered when determining whether goods or services are offered to ('targeting') a data subject in the Union:

The EU or at least one Member State is designated by name with reference to the goods or services offered;

The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT