Substantive and territorial scope of the GDPR

Substantive and territorial scope are defined in Art. 2 GDPR and Art. 3 GDPR.

Substantive scope

The GDPR applies to the processing of personal data:

  • (wholly or partly) by automated means (i.e., computers, mobile phones, wearables)
  • non-automated means which are part of filing system that are structured in accordance with some specific criteria (i.e., alphabetical order, chronological order etc.)

Territorial scope

The GDPR applies to the following situations:

  • When personal data is processed in the context of the activities of a controller’s/processor’s establishment in the EU
    • it does not matter whether the processing itself takes place in the EU or not
  • When a controller/processor that is not established in the EU processes the personal data of individuals in the EU, and it relates to either:
    • the offering of goods/services to them (irrespective of whether a payment is required)
    • the monitoring of their behavior (as far as their behavior takes place within the EU)

The nationality of the individuals does not matter. The rule applies to anyone within the territory of the EU.