What does territorial scope mean under the GDPR?

January 24, 2018 Kevin Kish

Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused  while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.

Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.

Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU

The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.

Read More: iapp.org/news

About the Author

Kevin Kish

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. Prior to joining Schellman, Kevin worked as a IT Compliance Manager, specializing in IT Security and Data Privacy compliance frameworks, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As a Senior Associate with Schellman, Kevin is focused primarily on data protection laws for organizations across various industries.

More Content by Kevin Kish
Previous Article
The 11 Most Difficult IT Hires Today
The 11 Most Difficult IT Hires Today

Ask any recruiter or tech pro what roles are most hard to fill in 2018, and you won’t be shocked.

Next Article
From ACA to cyberattacks to tech hiring, 2018 will be challenging for CEOs
From ACA to cyberattacks to tech hiring, 2018 will be challenging for CEOs

CEOs who play it safe will be putting themselves and their companies at risk in 2018. It will be...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!