Territorial Scope of GDPR

In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation (“GDPR”) of the EU was given extra-territorial effect, meaning that the GDPR can affect entities outside of the EU in certain circumstances. This is an especially wide provision since it means that organizations outside of the EU would also have to comply with the GDPR if they match the conditions prescribed in it. This article aims to provide a general basis of knowledge on the territorial scope of GDPR and how non-EU entities could also be subject to the GDPR.

A. Territorial scope of GDPR

Art 3 of GDPR states:

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
3. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
4. the monitoring of their behaviour as far as their behaviour takes place within the Union.
5. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

1. Application of the establishment criterion – Art 3(1)

This provision states that any controller and processor that has an establishment in the Union that processes personal data shall be subject to the GDPR. In this, there are a few elements that must be clarified.

• “An establishment in the Union”

While this content may seem straightforward, it is actually much more complex. An establishment here does not only include official or registered establishments like a branch or a representative office. Recital 22 of the GDPR clarifies that: “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

This means that an establishment only needs to be a stable arrangement in the EU through which real and effective activities are exercised, this can be an office, a branch or even as little as a single employee or agent in the EU that acts with stability. However, the mere presence of a stable arrangement in the EU is not enough to make an entity fall under the scope of GDPR. There are also the elements as described below.

• Processing personal data carried out “in the context of the activities” of an establishment

This section means that there must be processing of personal data carried out “in the context of the activities” of the establishment, regardless if the actual processing is carried out by the establishment or not. The determination should be done on a case-by-case basis.

There are elements that can determine whether the processing is carried out in the context of the activities of an establishment or not:[1]

• Relationship between the data controller/processor outside the EU and its establishment in the EU

The data processing activities of a data controller or processor established outside the EU may be inextricably linked to the activities of a local establishment in a Member State, and thereby may trigger the applicability of EU law, even if that local establishment is not actually taking any role in the data processing itself. If a case-by-case analysis on the facts shows that there is an inextricable link between the processing of personal data carried out by a non-EU controller or processor and the activities of an EU establishment, EU law will apply to that processing by the non-EU entity, whether or not the EU establishment plays a role in that processing of data.

• Revenue raising in the EU

Revenue-raising in the EU by a local establishment, to the extent that such activities can be considered as “inextricably linked” to the processing of personal data taking place outside the EU and individuals in the EU, may be indicative of processing by a non-EU controller or the processor being carried out “in the context of the activities of the EU establishment”, and may be sufficient to result in the application of EU law to such processing.

• “Regardless if the processing takes place in the Union or not”

This content simply states that the location where the actual processing of personal data takes place does not factor into determining if an entity is subject to GDPR or not under Art 3.1.

2. Application of the targeting criterion – Art 3(2)

Aside from the cases under Art 3(1) which applies to entities with an establishment in the EU, Art 3(2) also stipulates cases where entities with no establishment in the EU would still be subject to GDPR.

• Data subjects in the Union

Data subjects in the Union do not mean EU citizens or residents. It is stated in the Recital 14 and the Charter of Fundamental Rights of the EU that the right to protection of personal data applies to everyone, regardless of nationality or place of residence. As such, data subjects in the Union refer to data subjects that are present in the EU at the time the processing takes place. This element should then be assessed in concert with the other elements of Art 3(2) to determine if the entity is subject to GDPR or not.

• The offering of goods or services to data subjects in the Union, irrespective of payment

In this case, the offer of goods of services must be directed toward data subjects in the EU and not by accident or coincidence. The accessibility of the service from the EU is not enough to determine this. The “targeting” requirement can be determined via certain elements inter alia:[2]

• The EU or at least one Member State is designated by name with reference to the good or service offered;
• The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
• The international nature of the activity at issue, such as certain tourist activities;
• The mention of dedicated addresses or phone numbers to be reached from an EU country;
• The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;
• The description of travel instructions from one or more other EU Member States to the place where the service is provided;
• The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
• The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;
• The data controller offers the delivery of goods in EU Member States.

The presence of a payment is not required for this provision to take effect.

• Monitoring of data subjects’ behaviour as far as their behaviour takes place within the Union

For Article 3(2)(b) to trigger the application of the GDPR, the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.

For this provision, there is no requirement for “intention to target” on the part of the controller or processor like with the offering of services above. However, the act of monitoring implies the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU. The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioural analysis or profiling techniques involving that data.

*Note: Regarding processors for processing activities under Art 3(2), it is important to note that the processor would also be subject to GDPR if its processing is related to the offering of services to or monitoring of individuals in the EU. The processor does not get exempt simply because it is processing on behalf of the controller.

3. Application of the public international law – Art 3(3)

There are cases where the public international law would dictate the applicability of GDPR such as in embassies, consulates, ships in international waters, planes in international air space, etc

B. Case analysis

To further illustrate the applicability of the extra-territorial scope of the GDPR, the article will focus on examining a specific example as follows:

Company A is a Vietnamese company with only a single office in Vietnam. The company provides a music streaming application – “Musca” which can be purchased via the Apple store. The application collects the personal data of the users to register accounts and to provide music recommendations for its users based on their usage history of the app. All the data processing is carried out by company A using its servers in Vietnam. The app was released in March 2024 on the Apple store and the company decided to make the app available in all countries and regions via the Apple store’s availability settings. The app is available in Vietnamese, English, French and German.

1. Determining the applicability of GDPR

• Under Art 3(1)

Company A does not have an establishment in the EU and as such, is not subject to GDPR under Art 3(1).

• Under Art 3(2)

The processing of personal data of EU users of the app would be considered to be within the scope of the GDPR since the processing is related to the offering of goods and services to the EU data subject due to the following elements:

• The app is made available in EU countries. The company has the option of selecting which countries their app will be available. The fact that the company chose to make the app available in EU countries demonstrates that company A envisioned offering its services to customers in the EU;
• The app is available in Vietnamese, English, German and French. The official language of Vietnam is Vietnamese while German and French are not commonly used in Vietnam at all. The inclusion of German and French versions of the app further shows that the company expects and wishes to provide services to customers in Germany and France which are members of the EU.

These two elements demonstrate that company A intends to provide services to the data subjects in the EU. This means that the processing of personal data of users in the EU by company A would be subject to GDPR.

• Under Art 3(3)

As company A is a music streaming company, there is no ground regarding international laws that would allow GDPR to apply to its processing,

2. Implications

As company A would be subject to GDPR for the processing of personal data of EU users, the company would have to follow the provisions of GDPR which would impose certain obligations on the company such as:

1. Appointing a representative in one of the EU states where the data subjects, whose personal data are processed, are located;[3]
2. Ensure compliance with the data processing principles;[4]
3. Exercise data subject rights under GDPR such as: obtaining consent of the data subject; providing information regarding the processing; exercising data subject requests, etc;[5]
4. Ensure adequate data protection by design and default;[6]
5. Notify personal data breaches to the competent data supervisory authority in the EU and the data subjects;[7]
6. Select the appropriate processor (if any) and execute appropriate data processing agreements;[8]
7. Only transfer the personal data of EU users to other entities (either in Vietnam or another non-EU country) when appropriate conditions are met under GDPR;[9]
8. Conduct Data Processing Impact Assessments (DPIA) and appoint a Data Processing Officer (DPO) if applicable;[10]
9. Maintain a Record of Processing Activities (ROPA) if applicable;[11]
10. Demonstrate compliance with GDPR and cooperate with the competent supervisory authorities, etc.[12]

PrivacyCompliance prides itself on its team of experts having achieved numerous internationally recognized certifications such as CIPM, CIPP/E, CISA, CISM, CRISC®, ISO27001 Lead Auditor, etc. With tried-and-tested knowledge and capacity, PrivacyCompliance is confident in being able to provide in-depth and comprehensive solutions on personal data compliance and protection.

[1] European Data Protection Board (EDPB), ‘Guidelines 3/2018 on the territorial scope of the GDPR

(Article 3) Version 2.1’ (12 November 2019) < https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en> accessed 07 January 2024.

[2] ibid.

[3] Art 27, GDPR.

[4] Art 5, GDPR.

[5] Art 12-22, GDPR.

[6] Art 25, GDPR.

[7] Art 33 and 34, GDPR.

[8] Art 28, GDPR.

[9] Chapter V, GPDR.

[10] Art 35 and 37, GDPR.

[11] Art 30, GDPR.

[12] Art 31, GDPR.