When the General Data Protection Regulation (GDPR) came into force in May 2018, it redefined global standards for privacy and data protection. Many associate it only with European companies, yet the regulation’s influence is far wider. One of its most important provisions, Article 3, clarifies exactly who must comply, regardless of geography.
This article, titled “Territorial Scope,” establishes when and how the GDPR applies based on where an organisation is established and how it interacts with individuals in the European Union (EU) and the European Economic Area (EEA). Understanding Article 3 is essential not only for EU businesses but also for any organisation outside Europe that might collect or process data about EU residents.
Below, we will first outline what Article 3 says, then explore three practical examples—each showing a different way the GDPR can reach beyond European borders.
Understanding Article 3 of the GDPR
Article 3 contains three key rules that determine territorial reach:
- The establishment criterion (Article 3 § 1):
The GDPR applies to any organisation that processes personal data “in the context of the activities of an establishment” within the EU, even if the data processing itself occurs elsewhere. - The targeting criterion (Article 3 § 2):
The GDPR also applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour within the EU. - The processor rule (Article 3 § 3):
Even a processor located outside the EU is covered if it processes data on behalf of an EU-based controller.
Together, these clauses ensure that wherever personal data of EU residents are processed, the same protection follows.
Example 1: An EU Company Serving Global Customers
Imagine StyleHaus GmbH, a fashion e-commerce company headquartered in Munich. It sells designer clothes worldwide, hosts its servers in Singapore, and uses a U.S. cloud-based analytics tool.
Although many of its operations occur outside the EU, StyleHaus is clearly established within Europe. Every decision about how and why customer data are processed originates from its German headquarters. Under Article 3 § 1, the GDPR therefore applies to all of StyleHaus’s activities, including marketing emails, order tracking, and customer-service databases—even if these systems are physically hosted abroad.
The European Court of Justice has consistently interpreted the “establishment” concept broadly. In the landmark Google Spain v. AEPD ruling, the court found that data processing carried out outside Europe could still fall under EU law if there is a close connection to an EU branch. Applying the same reasoning, StyleHaus’s global data operations are considered to take place “in the context” of its European business.
Being an EU-based company, StyleHaus must also comply with GDPR rules for international data transfers under Articles 44 to 50. Whenever it shares information with partners or stores data on non-EU servers, it must rely on lawful transfer mechanisms such as Standard Contractual Clauses or adequacy decisions approved by the European Commission.
This first example shows the simplest scenario. If a company is established in an EU Member State, the GDPR automatically governs its processing activities, even when the data travel worldwide. The law follows the organisation’s establishment rather than the physical location of the servers.
Example 2: A Non-EU Company Targeting EU Consumers
The second example concerns FitTrack Inc., a U.S. start-up based in California that sells a mobile fitness-tracking app. The application records steps, heart rate, and calories and offers personalised health recommendations. FitTrack’s website is available in multiple European languages, displays prices in euros, and advertises on social-media platforms targeting France, Germany, and Spain.
Even though FitTrack has no branch or office inside the EU, it deliberately directs its services to European users. This falls squarely under Article 3 § 2 (a)—the targeting criterion. Recital 23 of the GDPR explains that merely having a website accessible in Europe is not enough. What matters is whether there is an intentional effort to engage EU residents. Indicators include using EU languages, showing prices in local currency, or offering shipping and support tailored to Europe.
FitTrack checks all those boxes. As a result, it must comply with the GDPR when processing the personal data of EU individuals who download or subscribe to the app. That means obtaining valid consent, providing clear privacy notices, and ensuring users can exercise rights such as access, rectification, and erasure. Because FitTrack has no physical establishment within Europe, it must also appoint an EU representative under Article 27. This representative acts as the point of contact for both data subjects and supervisory authorities.
FitTrack’s case resembles several real-world enforcement actions. European regulators have fined non-EU companies for using tracking technologies or analytics without proper consent. In one well-known instance, France’s CNIL penalised an American firm for cookie practices affecting EU visitors, confirming that Article 3 § 2 applies even without an EU office.
This example demonstrates that the GDPR’s territorial scope is triggered by intent. When a company outside the EU aims its services at EU customers, it must respect EU data-protection standards just like any local business.
Example 3: A Non-EU Company Monitoring EU Behaviour
For the third example, imagine AdSpectra Ltd., a Canadian advertising-technology company. It provides tracking scripts that website owners can embed to measure visitor engagement and display personalised ads. Some of AdSpectra’s clients operate in the EU, meaning its scripts inevitably collect information from individuals located in Europe—such as IP addresses, click behaviour, and browsing preferences.
This situation activates Article 3 § 2 (b), which extends the GDPR to organisations that monitor the behaviour of people within the EU. Monitoring includes any form of tracking or profiling used to analyse or predict an individual’s personal preferences or interests.
By recording EU visitors’ actions for behavioural advertising, AdSpectra is clearly monitoring behaviour inside the EU, even though it is headquartered in Toronto. Therefore, AdSpectra must implement GDPR-compliant measures: obtaining valid consent for cookies, offering opt-outs, signing data-processing agreements with its European clients, and ensuring lawful transfer mechanisms for any personal data sent overseas.
Furthermore, like FitTrack, AdSpectra must appoint an EU representative to liaise with regulators. It must also respect data-subject rights, maintain records of processing activities, and apply technical and organisational safeguards to protect information.
Failure to comply could lead to enforcement similar to the Planet49 GmbH case, where the Court of Justice ruled that pre-ticked consent boxes for cookies are invalid. European authorities have repeatedly underlined that behavioural profiling without informed consent breaches the GDPR.
This example shows how Article 3 covers even passive data collection. A company may not sell directly to EU customers, but if it tracks their online activity or analyses their behaviour, it still falls within the regulation’s reach.
Drawing the Line: How These Examples Differ
Through these three scenarios—StyleHaus, FitTrack, and AdSpectra—we can see the three distinct gateways into GDPR territory. The first illustrates the establishment principle, where the organisation’s presence in the EU automatically subjects it to the law. The second highlights targeting, where a non-EU company intentionally markets to European consumers. The third demonstrates monitoring, where behaviour tracking alone is enough to trigger GDPR obligations.
Each pathway leads to the same conclusion: the GDPR’s protection travels with the individual, not with the organisation’s location. Whether data are processed in Berlin, Boston, or Toronto, the law applies whenever EU residents’ information is involved.
Global Impact of Article 3
Article 3 has changed how the entire world thinks about privacy compliance. Before the GDPR, most data-protection laws applied only within national borders. The EU turned that model inside out, declaring that rights should follow individuals wherever their data go.
This approach—sometimes called the “Brussels Effect”—has inspired many countries to adopt similar laws. The California Consumer Privacy Act (CCPA), Brazil’s LGPD, Japan’s amended APPI, and the UK GDPR after Brexit all reflect the same principle: a company can no longer escape privacy responsibilities by moving data abroad.
For multinational organisations, this means privacy compliance has become a global baseline rather than a regional checkbox. Many firms have adopted GDPR-level standards across all markets simply to maintain consistency and consumer trust.
Practical Guidance for Businesses
Understanding Article 3 is the first step toward proper compliance. Businesses—inside or outside the EU—should examine their data-flows and answer a few critical questions.
First, do you have an establishment in the EU?
If so, every processing activity related to that establishment is covered by the GDPR, even if servers or staff are located elsewhere.
Second, do you intentionally target people in the EU?
If your marketing, pricing, or customer service is aimed at European residents, you are offering goods or services within the meaning of Article 3 § 2 (a).
Third, do you track or profile EU users?
Analytics, cookies, or behavioural advertising may qualify as monitoring under Article 3 § 2 (b), triggering GDPR duties.
Fourth, have you appointed an EU representative when required?
Non-EU controllers and processors that fall under Article 3 § 2 must designate a representative within the Union.
Fifth, are your international data transfers lawful?
Whenever personal data move outside the EU, organisations must rely on approved safeguards such as Standard Contractual Clauses or Binding Corporate Rules.
Addressing these questions early prevents costly mistakes. Supervisory authorities can impose penalties up to €20 million or 4 percent of global annual turnover, whichever is higher, for severe violations. Beyond fines, non-compliance can also erode customer trust and disrupt partnerships with European businesses that demand GDPR-ready vendors.
Why Article 3 Represents a New Standard for Accountability
At its heart, Article 3 reflects a simple philosophy: privacy protection should depend on the person, not the place. The EU wanted to ensure that citizens’ rights do not vanish when their data cross borders. In an era where cloud computing, mobile apps, and online advertising operate seamlessly across continents, this territorial principle ensures consistent protection.
The article also promotes fairness in global commerce. Without it, non-EU companies could undercut European competitors by ignoring privacy obligations. By applying the same rules to all who handle EU residents’ data, the GDPR levels the playing field and fosters trust in international trade.
Moreover, Article 3’s extraterritorial reach has pushed corporations to build privacy into their design from the start. Data-minimisation policies, encryption, and transparent consent practices are now standard across industries—benefiting consumers everywhere, not just in Europe.
Conclusion
Article 3 of the GDPR serves as the legal compass that determines where the regulation applies. Through the examples of StyleHaus GmbH, FitTrack Inc., and AdSpectra Ltd., we can see three distinct paths leading to the same destination: compliance with European data-protection law.
StyleHaus, established in Germany, must follow the GDPR under the establishment criterion. FitTrack, based in the United States, is bound by it because it intentionally targets EU customers. AdSpectra, located in Canada, falls under its scope by monitoring EU users’ online behaviour.
Together, these scenarios show how the GDPR transcends borders, shaping global expectations for data protection. Whether your organisation sells fashion, offers digital services, or runs analytics, if it touches the personal data of individuals in the EU, Article 3 ensures that privacy rules apply.