Territorial and Material Scope (Article 3) of the GDPR – A Comprehensive Guide
Introduction: Why Territorial and Material Scope (Article 3) Matters
Article 3 of the General Data Protection Regulation (GDPR) is one of the most foundational provisions in European data protection law. It defines where and to whom the GDPR applies. Without a clear understanding of Article 3, it is impossible to determine whether a specific data processing activity falls within the scope of the regulation. For anyone preparing for the CIPP/E exam, mastering Article 3 is essential because it frequently appears in scenario-based questions and underpins many other GDPR provisions.
The territorial and material scope of the GDPR is significant for several reasons:
• It establishes that the GDPR has extraterritorial reach, meaning it can apply to organisations outside the European Economic Area (EEA).
• It determines whether a particular processing activity triggers GDPR obligations.
• It affects compliance strategies for multinational organisations.
• It has reshaped the global data protection landscape, influencing how companies worldwide handle personal data of individuals in the EEA.
What Is Territorial and Material Scope?
Territorial Scope refers to the geographic reach of the GDPR — in other words, which organisations and which processing activities are covered based on location, presence, or targeting.
Material Scope refers to the types of processing activities the GDPR covers and, importantly, what it does not cover.
Together, these two dimensions answer the fundamental question: Does the GDPR apply to this specific processing activity carried out by this specific entity?
Article 3 — Territorial Scope in Detail
Article 3 contains three main grounds for the GDPR's application:
1. The Establishment Criterion — Article 3(1)
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union.
Key points to understand:
• Establishment is interpreted broadly. It does not require a legal entity or a registered office. According to Recital 22, it implies the effective and real exercise of activity through stable arrangements. Even a single employee or agent can constitute an establishment under certain circumstances.
• The critical phrase is "in the context of the activities of" an establishment. The processing does not need to be carried out by the establishment itself — it needs to be carried out in the context of the establishment's activities.
• The landmark Google Spain (C-131/12) case clarified this concept. The Court of Justice of the European Union (CJEU) held that Google Inc. (based in the US) processed data "in the context of the activities" of Google Spain, its subsidiary that promoted and sold advertising in Spain. Even though the actual data processing occurred on servers outside the EU, the GDPR's predecessor (the Data Protection Directive) applied.
• Location of the processing is irrelevant under Article 3(1). If there is an establishment in the EU and the processing occurs in the context of that establishment's activities, the GDPR applies even if the servers and processing infrastructure are located outside the EEA.
2. The Targeting Criterion — Article 3(2)
Even where there is no establishment in the Union, the GDPR applies to the processing of personal data of data subjects who are in the Union where the processing activities relate to:
(a) The offering of goods or services to data subjects in the Union, irrespective of whether payment is required; or
(b) The monitoring of behaviour of data subjects, as far as their behaviour takes place within the Union.
Key points:
• Article 3(2)(a) — Offering goods or services: Recital 23 provides guidance on what constitutes an intention to offer goods or services. Mere accessibility of a website from within the EU is not sufficient. Factors that indicate targeting include: the use of a language or currency generally used in one or more EU Member States, the mention of customers or users in the EU, the use of a top-level domain of a Member State (e.g., .de, .fr), and advertising directed at EU audiences.
• Article 3(2)(b) — Monitoring behaviour: Recital 24 clarifies that monitoring includes tracking individuals on the internet, including the subsequent use of personal data processing techniques such as profiling, behavioural analysis, and predictive analytics. This is particularly relevant for online advertising, analytics, and cookie-based tracking technologies. The behaviour being monitored must take place within the Union.
• The phrase "data subjects who are in the Union" is important. It is not limited to EU citizens or residents — it covers anyone who is physically present in the Union at the time. An American tourist visiting Paris, for instance, is protected by the GDPR while in the EU.
• Organisations outside the EEA that are caught by Article 3(2) must appoint a representative in the Union under Article 27, unless an exemption applies.
3. Application by Virtue of International Law — Article 3(3)
The GDPR applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. A classic example is a Member State's diplomatic mission or consular post abroad. The embassy of France in Washington, D.C., for example, must comply with the GDPR when processing personal data, because French law applies there under international law.
Material Scope — Article 2
While Article 3 addresses territorial scope, Article 2 addresses material scope — the types of processing the GDPR covers and the exemptions.
Article 2(1) — What Is Covered:
The GDPR applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
This means:
• Automated processing (e.g., computer databases, digital records) is covered.
• Manual processing is covered only if the data is part of, or intended to form part of, a structured filing system (i.e., organised according to specific criteria such as alphabetical order, date, or reference number).
• Unstructured paper records that are not part of a filing system fall outside the GDPR's scope.
Article 2(2) — Exemptions from Material Scope:
The GDPR does not apply to processing:
• (a) In the course of an activity which falls outside the scope of Union law (e.g., national security activities — as confirmed by Recital 16).
• (b) By Member States when carrying out activities under Title V, Chapter 2 of the TEU (Common Foreign and Security Policy).
• (c) By a natural person in the course of a purely personal or household activity (the "household exemption"). Recital 18 clarifies that this includes correspondence, address books, social networking, and online activities in a personal context. However, controllers and processors providing the tools for such activities remain subject to the GDPR. The CJEU case Lindqvist (C-101/01) and Ryneš (C-212/13) helped delineate the limits of this exemption.
• (d) By competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences, which is governed by the Law Enforcement Directive (LED — Directive 2016/680), not the GDPR.
Article 2(3): Processing by EU institutions and bodies is covered by Regulation (EU) 2018/1725, not the GDPR directly.
Article 2(4): The GDPR is without prejudice to the application of the e-Privacy Directive (Directive 2002/58/EC).
How Territorial and Material Scope Work Together
To determine whether the GDPR applies to a particular situation, you should follow a logical sequence:
Step 1: Is the activity within the material scope of the GDPR? Is it automated processing, or manual processing forming part of a filing system? Does an exemption under Article 2(2) apply?
Step 2: Is the activity within the territorial scope of the GDPR? Does the controller or processor have an establishment in the EU (Article 3(1))? If not, is it targeting data subjects in the EU through offering goods/services or monitoring behaviour (Article 3(2))? Does international law apply (Article 3(3))?
If the answer to both steps is yes, the GDPR applies.
Important Case Law and Guidance
• Google Spain (C-131/12): Broad interpretation of "in the context of the activities of an establishment."
• Weltimmo (C-230/14): A company registered in Slovakia operating a Hungarian-language property website was considered to have an establishment in Hungary due to its real and effective activities there. This case reinforced the broad interpretation of establishment.
• Verein für Konsumenteninformation (C-191/15): Reinforced the broad territorial reach of EU data protection law.
• Ryneš (C-212/13): A CCTV camera system covering a public space was not a purely personal or household activity, thus the household exemption did not apply.
• EDPB Guidelines 3/2018 on Territorial Scope: The European Data Protection Board issued comprehensive guidance on Article 3, providing detailed examples and clarifications on establishment, targeting, monitoring, and the appointment of representatives.
Practical Implications
• A US-based e-commerce company that ships products to EU customers and accepts payment in euros is likely subject to the GDPR under Article 3(2)(a).
• A Chinese social media platform that tracks the online behaviour of users located in Germany is likely subject to the GDPR under Article 3(2)(b).
• A UK-based company (post-Brexit) processing data of EU data subjects may be caught by Article 3(2) if it targets or monitors EU individuals, even though it no longer has an establishment in the EU.
• An EU company processing data entirely outside the EU on non-EU servers is still subject to the GDPR under Article 3(1) if the processing is in the context of its EU establishment's activities.
Exam Tips: Answering Questions on Territorial and Material Scope (Article 3)
1. Identify the three grounds separately. When you encounter a scenario question, systematically check Article 3(1), then 3(2)(a), then 3(2)(b), and finally 3(3). Do not conflate them. The examiners often test whether you can distinguish between the establishment criterion and the targeting criterion.
2. Remember that "establishment" is broadly defined. It does not require a legal entity, a branch, or an office. Stable arrangements and effective exercise of activity are sufficient. Know the Weltimmo and Google Spain cases, as they are frequently tested.
3. Know what triggers Article 3(2)(a). Mere accessibility of a website from the EU is not enough. Look for indicators of intention to target EU data subjects: EU currencies, EU languages (beyond what is natural for the company's home country), references to EU customers, EU-specific top-level domains, and EU-directed advertising.
4. Understand monitoring behaviour under Article 3(2)(b). This includes profiling, behavioural advertising, location tracking, and cookie-based analytics when the behaviour takes place in the EU.
5. Do not confuse "data subjects who are in the Union" with EU citizens. The GDPR protects anyone physically present in the EU, regardless of citizenship or residency status. A question might try to trick you into thinking it only applies to EU citizens.
6. Know the material scope exemptions cold. National security, the household exemption, law enforcement processing (covered by the LED), and Common Foreign and Security Policy are the main exemptions. Be ready to distinguish between them.
7. Understand the household exemption's limits. Personal blogging, social media use in a personal context, and personal address books are typically covered by the exemption. However, if the activity extends beyond the personal or household sphere (e.g., CCTV covering a public area, or publishing personal data on an unrestricted website), the exemption does not apply. Know Ryneš and Lindqvist.
8. Remember Article 27 — Representative requirement. If a non-EU controller or processor is caught by Article 3(2), it must designate a representative in the Union (unless an exemption applies, such as occasional processing that is not large-scale and does not involve special categories of data or criminal conviction data, and is unlikely to result in a risk to the rights of individuals, or the controller is a public authority).
9. Watch out for post-Brexit scenarios. The UK is now a third country. Questions may test whether you understand that UK companies can still be caught by Article 3(2) if they target or monitor individuals in the EU.
10. Practice the two-step approach. For every scenario, first assess material scope (Article 2), then territorial scope (Article 3). This ensures you do not miss exemptions and provides a structured, defensible answer.
11. Pay attention to Recitals. Recitals 22, 23, and 24 are particularly important for understanding the rationale behind Article 3 and provide the indicators the examiners expect you to reference.
12. Read the question carefully for nuances. Exam questions may include subtle details such as the location of the data subject at the time of processing, the nature of the organisation's activities, or the type of data involved. These details are intentional and are designed to test your ability to apply Article 3 precisely.
Summary
Article 3 of the GDPR is a gateway provision. It determines whether the entire framework of GDPR rights and obligations applies to a given processing activity. The establishment criterion (Article 3(1)) captures processing linked to EU-based operations, the targeting criterion (Article 3(2)) extends the GDPR's reach to non-EU entities that engage with individuals in the EU, and Article 3(3) covers processing under international law. Article 2 defines the material scope, including important exemptions. Together, these provisions form the starting point for any GDPR compliance analysis and are essential knowledge for the CIPP/E examination.
