Article 3

Territorial scope

1.   This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2.   This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:


the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or


the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.   This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

What does it mean?

Article 3 establishes when and where the GDPR applies to protect. It is designed to protect the personal data of individuals within the European Union (EU), even if the data processing happens outside EU borders.

The GDPR applies to any organization that has an establishment, such as a branch, office, factory, etc., within the EU if they process the personal data of individuals in the EU. This applies regardless of where the actual data processing takes place.

The GDPR applies to organisations outside the EU in two specific situations:

  • If a non-EU company targets individuals in the EU by offering them goods or services, even free, the GDPR rules apply.
  • If a non-EU company tracks the online behavior of individuals in the E,U for example, through website cookies or tracking technologies, the GDPR rules apply as long as the behavior occurs within the EU.

Article 3(3) extends the GDPR’s protection in this scenario. If a company operates outside of the EU but in a place where the law of an EU Member State applies (due to international agreements), the company still needs to comply with the GDPR when processing the data of EU residents.

For example, if a United States embassy in France collects personal data from EU citizens for visa applications or other services, it must comply with the GDPR for processing that data, even though it is located on what is considered U.S. territory for many purposes.

Organizations outside the EU should comply with the GDPR like any other organization. They must appoint an EU representative, which should act as a point of contact with authorities and individuals within the EU.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.



Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!