Territorial scope of the GDPR

18 september 2019

The territorial scope of General Data Protection Regulation (the GDPR) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC.  Under the GDPR, important new elements have been introduced.  In particular, Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of EU data subjects’ rights.

Article 3(1) of the GDPR provides that the GDPR applies to the to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.For the EDPB (Guidelines 3/2018 on the territorial scope of the GDPR of November 16, 2018), Article 3(1) GDPR makes reference not only to an establishment of a controller, but also to an establishment of a processor. As a result, the processing of personal data by a processor may also be subject to EU law by virtue of the processor having an establishment located within the EU. 

Article 3(2) of the GDPR provides that this regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 

(b) the monitoring of their behavior as far as their behavior takes place within the Union. 

 

The EDPB pointed out that the application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by two distinct and alternative types of activities carried out by a controller or processor not established in the Union. In addition to being applicable only to a controller or processor not established in the Union, the targeting criteria largely focus on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis. 

Ultimately,  Article 3(3) provides that this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.” 

The definitions and status of diplomatic missions and consular posts are laid down in international law, respectively in the Vienna Convention on Diplomatic Relations of 1961 and the Vienna Convention on Consular Relations of 1963. 

The EDPB considered that the GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates, insofar as such processing falls within the material scope of the GDPR, as defined in its Article 2.

Please remember that representatives of controllers or processors not established in the Union mustdesignate in writing a representative in the Union in compliance with article no. 27 of the GDPR.

 

 

 

News archive

 

Firm news

lug2

02/07/2026

Obblighi del titolare del trattamento in caso di uso di sistemi di AI

L' utilizzo di sistemi di AI per il trattamento dei dati comporta la necessita' per il Titolare del trattamento di rivedere ed aggiornare tutti la documentazione sulla privacy, ivi incluse le informative

lug2

02/07/2026

Obblighi del datore di lavoro in caso di utilizzo di sistemi di AI in azienda

L’articolo 11 della Legge 23 settembre 2025, n. 132 (“Legge AI”) sancisce i principi fondamentali per un uso etico e responsabile dell’AI. Tale disposizione, nel riaffermare la

lug2

02/07/2026

Autorità nazionale anticorruzione - Comunicato 15 maggio 2026[3][1] Approvazione della delibera n. 148 del 1° aprile 2026: «Approvazione delle modifiche e integrazioni apportate allo “Schema di bando tipo n. 1/2023 aggiornato al decreto legislativo 31 dic

L'Autorità nazionale anticorruzione (ANAC), nell'adunanza del Consiglio del 1° aprile 2026, ha approvato la seguente delibera: delibera n. 148 del 1° aprile 2026 «Approvazione

Lawyer News

lug3

03/07/2026

ANAC: revisione al regolamento sull’esercizio del potere sanzionatorio

La modifica, approvata con la Delibera

lug3

03/07/2026

Sharenting, è necessario il consenso congiunto di entrambi i genitori

La madre non può pubblicare foto dei figli

lug3

03/07/2026

Domenico Digregorio: la prudenza del notaio e l’avvento dell’AI

<p><span>L’equilibrio tra la