The GDPR material scope refers to the activities that are within or outside the scope of the instrument, and it is stated in Art.2.
The GDPR territorial scope refers to the application of the regulation to organisations within and outside the EU*, and it is stated in Art.3.
Useful? Embed this infographic on your website.
To be accurate regarding the full applicability of the GDPR, you need a deep and clear understanding of both scopes. In particular, this article explores the GDPR territorial scope, to help when deciding whether the regulation applies to an organisation or not.
In line with Art. 3, the GDPR applies to:
- An EU establishment of a data controller or processor, processing personal data in the context of activities, regardless of where the data is processed;
- A Non-EU establishment of a data controller or processor, processing personal data of persons who are in the Union because their offering goods/services (paid or for free) or monitoring the behaviour of those individuals within the Union; and,
- Where EU Member State law applies by virtue of public international law.
Key Points:
- “establishment” is taken in a broad sense and hence does not specify any particular legal form either legal personality thus captures entities such as branches and subsidiaries.
- An organisation is considered “established” where it exercises any real and effective activity – even a minimal one- through stable arrangements in one or more EU Member States.
- For point 1, keep in mind that the GDPR applies regardless of whether the actual processing takes place in the Union or not.
- In line with Recital 14, “the protection afforded by the GDPR should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
- For point 2, the mere existence of a website would not be sufficient to ascertain the intention of offering goods/services to data subjects who are in the Union. Keep in mind Recital 23, “factors such as language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union”.
- Also, for point 2, consider points 82 and 83 in the cases of Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (joined cases). However, be aware that the list is not exhaustive and shall be observed on a case by case basis.
- “Monitoring” see Recital 24: “whether the natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist in profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes”.
- “Profiling” refers to Article 4(4) and the last revised Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679.
- For point 3, Recital 25, gives the example of a diplomatic mission or consular position.
- Data controllers and processor not established in the EU that falls under Article 3(2) must appoint an EU-based representative, in line with Article 27.
Jessica Lam
Lawyer and Entrepreneur.
Latest posts by Jessica Lam (see all)
- Processing Personal Data - March 30, 2021
- What is Privacy? - February 25, 2021
- What is Privacy Engineering? - January 14, 2021