What does territorial scope mean under the GDPR?

Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused  while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.

Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.

Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU

The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.

Read More: iapp.org/news

About the Author

Kevin Kish

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. Prior to joining Schellman, Kevin worked as a IT Compliance Manager, specializing in IT Security and Data Privacy compliance frameworks, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As a Senior Associate with Schellman, Kevin is focused primarily on data protection laws for organizations across various industries.

More Content by Kevin Kish
Previous Article
GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps
GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps

Here’s the big question: Is the General Data Protection Regulation (GDPR) a revolutionary regula...

Next Article
How will the GDPR's DPIA requirement affect you?
How will the GDPR's DPIA requirement affect you?

You may be all too familiar with your organization’s change-management process, the regular step...



Want to know more about GDPR?

We are here to help

Send a Message