The territorial scope of General Data Protection Regulation (the GDPR) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC.  Under the GDPR, important new elements have been introduced.  In particular, Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of EU data subjects’ rights.

Article 3(1) of the GDPR provides that the GDPR applies to the to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.For the EDPB (Guidelines 3/2018 on the territorial scope of the GDPR of November 16, 2018), Article 3(1) GDPR makes reference not only to an establishment of a controller, but also to an establishment of a processor. As a result, the processing of personal data by a processor may also be subject to EU law by virtue of the processor having an establishment located within the EU. 

Article 3(2) of the GDPR provides that this regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 

(b) the monitoring of their behavior as far as their behavior takes place within the Union. 

The EDPB pointed out that the application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by two distinct and alternative types of activities carried out by a controller or processor not established in the Union. In addition to being applicable only to a controller or processor not established in the Union, the targeting criteria largely focus on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis. 

Ultimately,  Article 3(3) provides that this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.” 

The definitions and status of diplomatic missions and consular posts are laid down in international law, respectively in the Vienna Convention on Diplomatic Relations of 1961 and the Vienna Convention on Consular Relations of 1963. 

The EDPB considered that the GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates, insofar as such processing falls within the material scope of the GDPR, as defined in its Article 2.

Please remember that representatives of controllers or processors not established in the Union mustdesignate in writing a representative in the Union in compliance with article no. 27 of the GDPR.

News archive