Skip to Content

GDPR - Territorial Scope - Summary

279  Matthew Burdick September 27, 2022  Territorial Scope

Executive Summary
Pursuant to Articles 3(1) and 3(2), the GDPR applies to businesses established in the EU, as well as to businesses based outside the EU that offer goods and services to, or that monitor, individuals in the EU. Article 3(3) adds that the GDPR also applies in places where EU Member State law applies by virtue of public international law. Although each of these provisions provides some contour to the broad scope of the GDPR, they also introduce complexities and grey areas.
Article Text
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Quick Wins
Publish all your physical locations and create a GDPR page on your web site that details what you collect, what you use it for and how long you keep it. Also publish the DPO contact info. In Weltimmo v. NAIH (C-230/14) , the CJEU adopted a broad and flexible definition of “establishment” that does not hinge on legal form – indeed, the presence of a single representative may be sufficient. In that case, Weltimmo – which was incorporated in Slovakia – was considered to be established in Hungary by virtue of the use of a website in Hungarian, which advertised Hungarian properties, use of a local agent, and use of a Hungarian postal address and bank account.

Similarly, in Google Spain SL, Google Inc. v. AEPD, Mario Costeja Gonzalez (C- 131/12) (known as the "right to be forgotten" decision), the CJEU found that U.S.- incorporated Google Inc. was established in the EU because its search activities were sufficiently linked to the advertising sales generated by Google Spain, a local subsidiary. Because the data processing at issue in that case was related to the search business which Google Spain's sale of online advertising helped finance, the CJEU found that the processing was carried out “in the context of the activities” of the Spanish establishment.
Not Rated
Secure Code