GDPR : Article 3-Territorial Scope
Overview
The term “territorial scope” is used to describe the GDPR’s applicability to data controllers (businesses) and data processors (service providers) based outside the European Union.
The GDPR applies to any business that processes the personal data of individuals within the European Union, regardless of whether the company is based inside or outside the EU. This is because the GDPR’s territorial scope is not limited to companies based in the EU.
Two main criteria must be met for the GDPR to apply to data controllers or processors:
- The data controller or processor must offer goods or services to individuals in the European Union.
- The data controller or processor must monitor the behavior's of individuals in the European Union.
If either criterion is met, the GDPR will apply regardless of whether the data controller or processor is based inside or outside the EU.
It is important to note that the GDPR does not apply to data controllers or processors based in the European Union.
The territorial scope is significant because it ensures that companies that process the data of EU citizens are subject to the GDPR, even if the company is not based in the EU. This is important because it ensures that EU citizens have the same level of protection regardless of where their data is processed.
The territorial scope is also significant because it ensures that companies that process the data of EU citizens are subject to the jurisdiction of the EU courts. This is important because it ensures that EU citizens have the same level of protection regardless of the company's location.
Pertinent Recitals
Recitals – 22
Processing by an Establishment.
When the national law of an EU member state provides specific rules on the protection of personal data, those rules shall take precedence over this Regulation to the extent that they conflict with this Regulation.
In addition, this Annex shall not apply to the processing of personal data by an establishment in a third country if the personal data are processed in the context of the activity of an establishment of a controller or a processor in the Union unless that establishment of the controller or processor in the Union makes use of equipment situated in a third country for processing the personal data on behalf of the controller or processor.
Recitals – 23
Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted.
The EU data protection law applies to controllers not established in the Union if they target data subjects within the Union. The rule applies regardless of whether the data processing occurs in the Union.
The law also applies to controllers not established in the Union if they offer goods or services to data subjects in the Union or if they monitor the behaviour of data subjects.
If you are a controller not established in the Union, but you target data subjects in the Union, you must appoint a representative in the Union. You must also comply with the other obligations of the GDPR.
If you are a controller not established in the Union but target data subjects in the Union, you must comply with the GDPR.
Recitals – 24
Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled.
Under the EU General Data Protection Regulation (GDPR), data controllers not established in the Union are only subject to the GDPR if they process the personal data of data subjects in the Union when selecting the controller in the Union.
However, suppose a controller not established in the Union processes the personal data of data subjects for profiling. In that case, they will be subject to the GDPR regardless of their establishment in the Union.
Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted.
Recitals – 25
Applicable to Controllers Due to International Law
Controller’s obligations under GDPR are mainly centered around data minimization, data accuracy, storage limitation, and accountability. In addition, controllers must take measures to ensure the security of personal data and provide individuals with certain rights concerning their personal data.
Under GDPR, controllers must provide individuals with certain information about their rights, the specific purposes for which their data will be processed, and the contact details of the controller. This information must be provided clearly and concisely and must be accessible and easy to understand.