Territorial scope of the GDPR

18 september 2019

The territorial scope of General Data Protection Regulation (the GDPR) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC.  Under the GDPR, important new elements have been introduced.  In particular, Article 3 of the GDPR reflects the legislator’s intention to ensure comprehensive protection of EU data subjects’ rights.

Article 3(1) of the GDPR provides that the GDPR applies to the to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.For the EDPB (Guidelines 3/2018 on the territorial scope of the GDPR of November 16, 2018), Article 3(1) GDPR makes reference not only to an establishment of a controller, but also to an establishment of a processor. As a result, the processing of personal data by a processor may also be subject to EU law by virtue of the processor having an establishment located within the EU. 

Article 3(2) of the GDPR provides that this regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 

a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 

(b) the monitoring of their behavior as far as their behavior takes place within the Union. 

 

The EDPB pointed out that the application of the “targeting criterion” towards data subjects who are in the Union, as per Article 3(2), can be triggered by two distinct and alternative types of activities carried out by a controller or processor not established in the Union. In addition to being applicable only to a controller or processor not established in the Union, the targeting criteria largely focus on what the “processing activities” are “related to”, which is to be considered on a case-by-case basis. 

Ultimately,  Article 3(3) provides that this Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.This provision is expanded upon in Recital 25 which states that “[w]here Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.” 

The definitions and status of diplomatic missions and consular posts are laid down in international law, respectively in the Vienna Convention on Diplomatic Relations of 1961 and the Vienna Convention on Consular Relations of 1963. 

The EDPB considered that the GDPR applies to personal data processing carried out by EU Member States’ embassies and consulates, insofar as such processing falls within the material scope of the GDPR, as defined in its Article 2.

Please remember that representatives of controllers or processors not established in the Union mustdesignate in writing a representative in the Union in compliance with article no. 27 of the GDPR.

 

 

 

News archive

 

Firm news

lug13

13/07/2026

Google Android: the Court of Justice upholds Google’s fine of around €4.1 billion

Judgment of the Court of Justice of the EU in Case C-738/22 P | Google and Alphabet v Commission   The appeal brought by Google and its parent company Alphabet against the judgment of the General

lug13

13/07/2026

Judgment of the General Court in Joined Cases T-1079/23, T-1080/23 | Apple v Commission and T-214/24 Apple and Apple Distribution International v Commission

Digital services: the General Court of the EU dismisses Apple’s actions regarding its designation as a gatekeeper in relation to the App Store and iOS The General Court also rules that

lug13

13/07/2026

Opinion of the Advocate General in Cases C-535/25 | Amazon Italia Logistica, C-536/25 | Amazon Italia Services and C-537/25 | Amazon Italia Transport

According to Advocate General Campos Sánchez-Bordona of the Court of Justice of the European Union, companies in the Amazon group provide postal services in Italy Consequently, the requirement

Lawyer News

lug17

17/07/2026

Monopattini elettrici, assicurazione Rc dal 16 luglio dopo il rinvio MIT–MIMIT

Sanzioni confermate: 100 euro (ridotti

lug17

17/07/2026

ISA 2025, nuove regole: concordato biennale e società tra avvocati

L’Agenzia delle Entrate illustra le novità

lug17

17/07/2026

Giornalisti professionisti, aperta la sessione 2026 per l’iscrizione all’Elenco

Il CNOG indice l’esame: il termine per