• Art. 3(2)
  • Art. 3(3), 27
  • Recitals 23, 24, 80
  • EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) 

Art. 3(2):

  • This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    • (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union OR
    • (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Art. 3(2) Key elements:

  • determining factor is the location of the data subject;
  • a non-EU entity that is offering (free or paid) goods or services to data subject in the EU is subject to GDPR;
  • a non-EU entity that is monitoring the behaviour of EU subjects is subject to the GDPR.
  • note: an EU based entity is subject to the GDPR under Art. 3(1).

EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

  • A controller or processor outside the EU can be subject to the GDPR depending on their processing activities.
  • The EDPB recommends a twofold analysis approach:
    • a) to determine that the processing relates to personal data of data subjects who are in the Union, and,
    • b) whether processing relates to the offering of goods or services or to the monitoring of data subjects’ behaviour in the Union
  • a) EDPB states that the term “data subject who are in the Union” is not restricted to citizenship, residence or legal status of the data subject. It covers everyone located and present in the Union “at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken“.
  • b.i) EDPB states that the concept of “offering of goods or services” should take into account the EU case law and Recital 23 to ascertain the intention of controllers and processors. These include:
    • 1) offering products online and in-person,
    • 2) have demonstrated an intention to offer goods or services to EU based data subjects,
    • 3) factors such as use of a language or a currency generally used in member states,
    • 4) mentioning customers or users in the Union,
    • 5) or otherwise making it apparent that the controller envisages offering to data subjects in the Union.
  • b.ii) EDPB states that “monitoring of data subjects’ behaviour” should take into account Recital 24 and specific EDPB examples of monitoring such as:
    • tracking a person online or through other types of technology such as wearable and other smart devices,
    • behavioural advertisement,
    • geolocation activities, in particular for marketing purposes,
    • tracking through the use of cookies or other techniques such as fingerprinting,
    • personalised diet and health analytics services online,
    • CCTV,
    • market surveys and other behavioural studies based on individual profiles,
    • Monitoring or regular reporting on an individual’s health status and so forth.
  • The EDPB guidelines reiterate Recital 23 and state that the mere accessibility of a website in the Union, or an email address, or use of language that’s general in the controller’s country, are not sufficient to demonstrate intention to offer goods or services to a data subjects in the Union.

Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller
(Joined cases C-585/08 and C-144/09)

  • EDPB guidelines suggest taking the following factors into account when considering whether goods or services are being offered to data subjects in the Union:
    • The EU or at least one Member State is designated by name with reference to the good or service offered;
    • The data controller or processor pays a search engine operator for an internet referencing service
      in order to facilitate access to its site by consumers in the Union; or the controller or processor has
      launched marketing and advertisement campaigns directed at an EU country audience
    • The international nature of the activity at issue, such as certain tourist activities;
    • The mention of dedicated addresses or phone numbers to be reached from an EU country;
    • The use of a top-level domain name other than that of the third country in which the controller or
      processor is established, for example “.de”, or the use of neutral top-level domain names such as
      “.eu”;
    • The description of travel instructions from one or more other EU Member States to the place
      where the service is provided;
    • The mention of an international clientele composed of customers domiciled in various EU Member
      States, in particular by presentation of accounts written by such customers;
    • The use of a language or a currency other than that generally used in the trader’s country,
      especially a language or currency of one or more EU Member states;
    • The data controller offers the delivery of goods in EU Member States.

Art. 27 and Recital 80: Non-EU based controllers and processor are required to designate in writing a representative in the Union.