What does territorial scope mean under the GDPR?

January 24, 2018 Kevin Kish

Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused  while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.

Before we jump into the requirements, it’s important to note that this criteria below is applicable to organizations even where the processing of personal data takes place outside of the EU. Due to that international reach, one cannot simply avoid GDPR obligations because they are outside the jurisdiction of the EU. So, let’s begin to dissect the parts of Article 3 and its provisions under "territorial scope" to get a better understanding of how GDPR classifies an "in-scope" organization, along with the two conditions that decide the applicability of an organization in the eyes of the regulation.

Criterion 1: If your business is offering goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU

The definition of "offering of goods and services" isn’t extraordinarily specific when referring to Article 3. In general, websites are globally accessible. So, would that mean your business is, by default, offering goods and services to EU citizens? Looking further into the GDPR’s clarification under Recital 23 provides a better perception of how its interpreted according to the regulation.

Read More: iapp.org/news

About the Author

Kevin Kish

Kevin Kish is a Director of Privacy Compliance at Schellman. With 10 years of industry experience, Kevin has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield, and the General Data Protection Regulation (GDPR). As an industry advocate, he is passionate about researching and writing on the concepts of adaptable data privacy and providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy certifications from the International Association of Privacy Professionals (IAPP), including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish
Previous Video
Cloud Service Providers Navigating through the GDPR
Cloud Service Providers Navigating through the GDPR

Next Article
How will the GDPR's DPIA requirement affect you?
How will the GDPR's DPIA requirement affect you?

You may be all too familiar with your organization’s change-management process, the regular step...