The European Data-Protection Board has published a new set of guidelines on the territorial scope of the GDPR (Article 3).
The territorial scope of General Data Protection Regulation (the GDPR) is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined previously.
In part, the GDPR confirms choices made by the EU legislator and the Court of Justice of the European Union (CJEU) in the context of Directive 95/46/EC. However, important new elements have been introduced. Most importantly, the main objective of Article 4 of the Directive was to define which Member State's national law is applicable, whereas Article 3 of the GDPR defines the territorial scope of a directly applicable text. Moreover, while Article 4 of the Directive made reference to the 'use of equipment' in the Union's territory as a basis for bringing controllers who were "not established on Community territory" within the scope of EU data protection law, such a reference does not appear in Article 3 of the GDPR. Article 3 of the GDPR reflects the legislator's intention to ensure comprehensive protection of EU data subjects' rights and to establish, in terms of data protection requirement, a level playing field for companies active on the EU markets, in a context of worldwide data flows. Article 3 of the GDPR defines the territorial scope of the Regulation on the basis of two main criteria: the "establishment" criterion, as per Article 3(1), and the "targeting" criterion as per Article 3(2). Where one of these two criteria is met, the relevant provisions of the GDPR will apply to the processing of personal data by the controller or processor concerned. In addition, Article 3(3) confirms the application of the GDPR to the processing where Member State law applies by virtue of public international law.