1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
Article 3 GDPR - Territorial scope
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Relevant Recitals
- Recital 22 Processing by an Establishment
- Recital 23 Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Targeted
- Recital 24 Applicable to Controllers/Processors Not Established in the Union if Data Subjects Within the Union are Profiled
- Recital 25 Applicable to Controllers Due to International Law