Territorial scope and the GDPR: When does it apply?
While it is useful to have guidance, the recent EDPB paper on when the GDPR applies still leaves open plenty of questions. Helena Wootton analyses the issues at stake and suggests ways forward towards greater clarity.
In one of its most recent guidance papers(1), the European Data Protection Board (EDPB) aims to clarify the territorial scope of the GDPR, and when and the extent to which it applies to processing operations by businesses who may (or may not at first glance!) operate within Europe.
This article aims to help organisations interpret the EDPB paper and understand when the GDPR will apply. For the most part this is fairly obvious, straightforward and common sense. However, around the edges are where the nuances are most difficult to apply in practice.
The GDPR applies to businesses whose processing activities take place within the European Union, or they are offering goods or services to individuals within the Union, or monitoring of their behaviour, or when their third party processors are within the Union if those activities are related to the business’s main activities.