Territorial Scope of the GDPR


This Article will be present a hypothetical showcase of what could have happened if Cambridge Analytica scandal had broken after the GDPR came into power. GDPR is a Regulation (EU) number 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation. “The new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. It doesn’t apply to the processing of personal data of deceased persons or of legal persons. The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.” Also, as scandal involves the UK, which is still in the EU, and UK’s legal establishment (Cambridge Analytica) and the personal data of the third countries (Facebook’s users in the US), one of the most controversial and most important provisions of the GDPR will be explained, the provision of territorial scope of GDPR. 


Terirorial Scope of the GDPR[

The territorial scope of the General Data Protection Regulation is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC

Art. 3 GDPR Territorial scope:

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
  3. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  4. the monitoring of their behaviour as far as their behaviour takes place within the Union.
  • This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

According to Art. 3 of the GDPR three most important criterion for application of the GDPR are establishment in the EU, offering goods and services and monitoring of behavior. GDPR is quite modest when defining what an establishment in the EU is and what means offering services and goods, or monitoring the behavior, so the case law of the CJEU should be consulted for determining the application of the GDPR in an individual case. Even though, the meaning of the three most important criterion according to the European Data Protection Board Guidelines 3/2018 on the territorial scope of the GDPR should be determined on the case-by-case bases, it is beyond doubts that Cambridge Analytica as a stable establishment with the UK and EU would fall under the GDPR provision solely by the fact it had operated from the United Kingdom.


Strahinja Mavrenski