Understanding territorial scope under GDPR

Broader reach, and heavier fines for misbehavior: these are two significant changes to Europe’s new data privacy law, the General Data Protection Regulation (GDPR), which comes into force on May 25. 

The GDPR is a far-reaching set of rules focused on shielding an individual’s privacy and exchange of data across borders. All companies operating across the European Union, and doing business with its 500 million people, must abide by it.

Imposing new rules for a new era of the digital economy, the GDPR replaces the 1995 Data Protection Directive, and is a recognition of how much the internet has changed.

Read WikiTribune’s analysis on how GDPR could change the internet.

Territorial expansion is one of GDPR’s more important changes to existing regulations. By reframing GDPR around the “data subject” – defined by GDPR as an “identifiable natural person” – the new regulation will impact many businesses regardless of geographic location.

Below are some of the circumstances under which enterprises are subject to GDPR. Help add to it.

Main impact of GDPR’s increased territorial scope

The GDPR’s section on territorial scope can be found in Article 3 of the regulation. Here it’s made clear that the regulation applies wherever processing of data takes place, be it within or outside the European Union.

A list of GDPR definitions can be found in Article 4 of the regulation.

You can edit or expand this story


  • Article 3 makes no references to citizenship, referring only to any person living within the EU, making nationality or country of residence irrelevant.
  • GDPR affects those “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” The word “establishment” is a broad and flexible term, but an enterprise is generally considered established if it exercises “any real and effective activity” through “stable arrangements” in the EU.
  • Controllers or processors not established in the Union, but which process the data of EU data subjects, are affected. Processing relates to the offering of goods or monitoring of behavior.
  • A company may not necessarily be considered an establishment, but if it monitors the data of EU citizens, it may have to comply. Monitoring includes tracking individuals online to create “profiles,” in order to analyze or predict behaviors or attitudes.
  • Enterprises, institutions or businesses located within the EU will be subject to the most change under GDPR. Even so, their physical location is not as important in determining GDPR compliance as the physical location of the data subject.
  • Companies with strong internet presence offering goods and services to EU data subjects, such as companies located in the United States, will probably be affected.
  • A company is affected if it offers domain registrations to EU data subjects, even if it has no establishment in the EU.
  • Most websites around the world use some form of a tracking cookie to, for example, gather data in order to track browser history. However, if a company’s cookie is used specifically for “non-sensitive personal data,” such as tracking items in a users’ shopping cart, then consent isn’t required.
  • Consent, overall, must now be given with affirmative action, such as via preference settings or clicking an opt-in box.

You can edit or expand this story


Image information

  • TODO tags

      Is there a problem with this article? [Join] today to let people know and help build the news.
      • Share

      Subscribe to our newsletter

      Be the first to collaborate on our developing articles

      WikiTribune Open menu Close Search Like Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Connect with us on Discord Email us