Article 3 of GDPR

In the previous post, we discussed Article 2 of GDPR which speaks about the Regulation’s material scope. In this post, we shall discuss Article 3 of GDPR which talks about its territorial scope i.e. whether GDPR is applicable to establishments only located in the European Union or even outside of it. 

Article 3 of the GDPR states as follows:

  1. “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

The above makes it clear that GDPR is applicable to the following:

  1. Processing of personal data by a controller or a processor located in the European Union for an establishment. This shall not exclude any processing which is done outside the EU. This can also be further interpreted that the controller or processor might be located in the EU but they shall outsource the processing to an entity who shall be located outside the EU.  
  2. The processing of personal data by a controller or processor not located in the EU. The processing activities are related to offering goods and services to the individuals whether connected or not connected to a payment.

A question that is important to be answered is how shall it be ascertained that a controller or processor is offering goods or services to individuals in the EU? Some important factors that are to be taken into consideration are as follows:

  • The controller or processor is offering goods and services in one or more Member States in the EU. 
  • The controller or processor uses a language or currency used in one or more Member States
  • The controller or processor mentions customers or users in the EU
  1. The monitoring of personal behaviour of individuals as long as the behaviour takes place in the EU. Monitoring of behaviour consists of tracking on the internet by using personal data processing techniques such as profiling a person. 
  2. Lastly, GDPR is also applicable to a controller not established in the EU but situated in a place governed by public international law such as a consulate. 

Reference:

  1. https://gdpr-info.eu