Article 3 establishes when and where the GDPR applies to protect. It is designed to protect the personal data of individuals within the European Union (EU), even if the data processing happens outside EU borders.

The GDPR applies to any organization that has an establishment, such as a branch, office, factory, etc., within the EU if they process the personal data of individuals in the EU. This applies regardless of where the actual data processing takes place.

The GDPR applies to organisations outside the EU in two specific situations:

• If a non-EU company targets individuals in the EU by offering them goods or services, even free, the GDPR rules apply.
• If a non-EU company tracks the online behavior of individuals in the E,U for example, through website cookies or tracking technologies, the GDPR rules apply as long as the behavior occurs within the EU.

Article 3(3) extends the GDPR’s protection in this scenario. If a company operates outside of the EU but in a place where the law of an EU Member State applies (due to international agreements), the company still needs to comply with the GDPR when processing the data of EU residents.

For example, if a United States embassy in France collects personal data from EU citizens for visa applications or other services, it must comply with the GDPR for processing that data, even though it is located on what is considered U.S. territory for many purposes.

Organizations outside the EU should comply with the GDPR like any other organization. They must appoint an EU representative, which should act as a point of contact with authorities and individuals within the EU.