Article 3 - Territorial Scope

One of the common questions about GDPR has been "Does GDPR affect businesses in my country?". To clarify this question, let's look at Article 3 - Territorial Scope.

Article 3 text:

GDPR makes the 3 statements about the scope of the regulation: 

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law

In summary:

If any of the following points apply to your organisation, then it is likely GDPR will apply to you:

  • If your organisation has offices within the EU
  • If you process personal data of people within the EU
  • If EU law applies in your country

In addition to these rules, the following cases have also been clarified:

Does GDPR apply in the UK? 

Yes - GDPR will apply to UK businesses post-Brexit. The date for implementation will remain the same as other countries, 25 May 2018.

Does GDPR apply in Jersey and Guernsey?

Yes - GDPR will apply to Jersey and Guernsey.

Although Jersey and Guernsey have a special relationship with the EU, both Jersey and Guernsey voluntarily use EU legislation or the international standards on which they are based. This means as part of EU legislation, GDPR will apply to both Jersey and Guernsey