In This Guide
Understanding Article 3
Article 3 of GDPR defines its territorial scope. Unlike previous EU data protection law, GDPR has significant extraterritorial reach, applying to organizations worldwide under certain conditions.
GDPR applies through two main criteria:
- Establishment criterion (Article 3(1)): Processing in the context of EU establishment
- Targeting criterion (Article 3(2)): Processing of EU data subjects' data by non-EU organizations
Establishment Criterion (Article 3(1))
GDPR applies to processing of personal data in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU.
What Constitutes an Establishment?
- Any real and effective activity through stable arrangements
- Branch offices, subsidiaries, or representatives
- A single employee can constitute establishment
- Legal form is not determinative
Key Points
- Location of processing is irrelevant if establishment exists
- Processing must be "in the context of" the establishment's activities
- Even if data is processed entirely outside EU, GDPR applies
Targeting Criterion (Article 3(2)(a))
GDPR applies to non-EU organizations processing EU data subjects' data when offering goods or services to them.
Indicators of Targeting EU Data Subjects
- Use of EU language (other than English)
- Use of EU currency (EUR)
- Mention of EU customers or users
- EU-specific top-level domain (.de, .fr, .eu)
- Delivery to EU addresses
- Dedicated EU support or contact details
- Advertising targeted at EU audiences
Mere accessibility of a website from the EU is not sufficient. There must be evidence of intention to offer goods or services to EU data subjects.
Monitoring Criterion (Article 3(2)(b))
GDPR applies to non-EU organizations monitoring the behavior of EU data subjects, where that behavior takes place in the EU.
Examples of Monitoring
- Tracking individuals on the internet (cookies, device fingerprinting)
- Profiling for targeted advertising
- Behavioral analytics
- Location tracking
- Building profiles for credit scoring
- Health monitoring via wearables
Quick Decision Tree
Use this decision tree to determine if GDPR applies to your organization:
Step 1: Do you have an establishment in the EU?
- Yes: GDPR applies to processing in the context of that establishment
- No: Proceed to Step 2
Step 2: Do you offer goods or services to EU data subjects?
- Yes (free or paid): GDPR applies
- No: Proceed to Step 3
Step 3: Do you monitor behavior of EU data subjects (occurring in EU)?
- Yes: GDPR applies
- No: GDPR does not apply
Practical Examples
| Scenario | GDPR Applies? | Reason |
|---|---|---|
| US company with EU subsidiary | Yes | Establishment criterion |
| Indian IT company processing EU employee data for EU client | Yes | Processor for EU controller |
| Australian e-commerce site shipping to Germany | Yes | Offering goods to EU |
| US SaaS with EU pricing in EUR | Yes | Targeting EU market |
| Japanese app tracking EU user behavior | Yes | Monitoring criterion |
| US blog accessible from EU but not targeting EU | No | Mere accessibility insufficient |
| Brazilian company with only Brazilian customers | No | No EU nexus |
EU Representative Requirement
Organizations subject to GDPR under Article 3(2) must appoint an EU representative unless:
- Processing is occasional
- Processing does not include large-scale special category data or criminal data
- Processing is unlikely to result in risk to data subjects
EU Representative Responsibilities
- Point of contact for supervisory authorities
- Point of contact for data subjects
- Must be established in an EU member state where data subjects are located
- Can be held liable for non-compliance