Overview

This article defines the territorial reach of GDPR, applying to personal data processing conducted by entities established in the EU, as well as non-EU organizations that target or offer goods/services to EU data subjects or monitor their behavior. GDPR also applies when processing falls under applicable Member State law.


Key Principles

  • EU Establishment: Any controller or processor established in the EU is subject to GDPR.

  • Targeting EU Data Subjects: Non-EU organizations offering goods/services to or monitoring EU individuals fall under GDPR.

  • Member State Law Applicability: GDPR applies where local EU laws govern the processing.

Organizational Applicability

Applies to:

  • EU-based controllers and processors handling personal data.

  • Non-EU organizations targeting or offering services to EU residents.

  • Non-EU organizations monitoring behavior of EU data subjects.
    Organizations must assess whether their activities trigger GDPR obligations in any EU jurisdiction.


Implementation Requirements

  • Identify whether the organization or processing activity falls under EU establishment or targets EU data subjects.

  • Maintain records demonstrating whether GDPR applies, including contracts, website targeting evidence, and service offerings.

  • Implement GDPR-aligned data protection measures for all processing that falls within the scope.

Implementation Guidance

  • Map all processing activities to determine territorial applicability.

  • Review websites, marketing campaigns, and services to confirm targeting or monitoring of EU individuals.

  • Ensure GDPR-compliant policies, notices, and contracts are applied for all in-scope processing.

  • Document decisions and assessments to demonstrate compliance during audits.

Periodic Review

  • Frequency: Annually or upon expansion into new markets or changes in service offerings.

  • Responsible Role: Data Protection Officer (DPO) or Compliance Team.

  • Outcome: Confirm ongoing applicability of GDPR and update documentation and measures accordingly.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover.

  • Legal Exposure: Enforcement actions from EU regulators.

  • Reputational Damage: Loss of trust from EU customers and partners.

  • Operational Limitations: Restrictions on offering services in EU markets.