European Union: How Does Territoriality Principle Of General Data Protection Regulation Effect Non-EU Companies?

Last Updated: 22 May 2019
Article by Zeynep Yagmur and Gizem Başara

Since adoption of the Data Protection Directive ("Directive") by the European Union in 1995, technology and internet continued to evolve and intervene in our lives more and more. Due to the wide use of internet, processing of personal data has become transnational and introduced a serious challenge for legislators1. Considering those challenges within the scope of data protection law, the European Union decided to put the genie back into the bottle and started to work on a new data protection law. As a result, General Data Protection Regulation ("GDPR") took stage and entered into force on 25 May 2018 while repealing the Directive. Yet, GDPR became one of the most crucial and controversial legislation globally due to its territorial scope policy.

GDPR introduces rules relating to protection of natural persons with regard to processing of their personal data2. Within the scope of GDPR, processing personal data covers such actions, including but not limited to, "collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"3. Within this perspective, any activity within the scope of this Article 4 of GDPR carried out by a controller or a processor will be considered as "processing" within the scope of GDPR.

Processing carried out by which subjects shall be subject to GDPR? Will processing realized by natural or legal persons even outside of Europe be subject to GDPR? Recently European Data Protection Board ("EDPB") adopted a guideline on the territorial scope of the GDPR ("Guideline") on 16 November 2018 to have an additional say with respect to territorial scope of GDPR.


GDPR's territorial scope is based on two main criteria: the "establishment" criterion as per Article 3(1) and the "targeting" criterion as per Article 3(2).4

A. Article 3(1) – Establishment Criterion

Article 3(1) states that "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."5 Pursuant to Article 3(1) of GDPR, i) if an establishment of a data processor or controller is in the Union and ii) if such establishment processes personal data, there is no doubt that such establishment will be subject to GDPR. According to Recital 22 of GDPR, "establishment" implies "the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect."6 Since the wording for establishment is same as Recital 19 of the Directive, the Court of Justice of European Union's ("CJEU") two ground-breaking decisions on the territorial scope of Directive based on "establishment" criterion are instrumental for interpretation of Article 3(1). The first one is Google Spain v. Costeja Gonzales decision. Even though Google Inc. is a company based in the United States, Google processes personal data in Member States through an establishment based in Member States, a subsidiary of Google. According to CJEU, the activities of such establishment are inextricably linked to Google Inc.7 therefore Directive shall be applicable to Google Inc., even though the headquarters of such establishment is based outside of EU. Having a subsidiary and conducting business through such subsidiary is enough to fall within the EU jurisdiction, it is not necessary for a data controller to process data within the EU8.

The second significant decision is Weltimmo case, in which the decision is in line with Google Spain yet with a broad interpretation of the territorial scope of Directive. In such case, having even one representative in Member States who is acting with a sufficient degree of stability for provision of specific services of a company based outside of EU is considered enough to constitute a stable arrangement.9 In addition if such establishment has effective activity10 through stable arrangements, it shall be considered within the scope of the Directive.

In the Guideline, EDPB follows the interpretation methods of establishment for the Weltimmo and Google Spain cases made by the CJEU for determining the scope of Article 3(1). According to the Guideline, if there is an inextricable link between the activities of an EU establishment and the data processing carried out by a non-EU controller or processor, even if the EU establishment does not have any role on data processing activities, such situation may trigger the applicability of GDPR.

EDPB recommends a two-fold assessment to determine whether GDPR will be applied to the non-EU organization's processing activities; first by determining whether personal data is being processed, and secondly by identifying potential links between the processing activity and the activities of any presence of the organization in the EU.11

Moreover, GDPR will be applied to the processing activities of an establishment in the EU even though such processing takes place outside of the EU. An example of Guideline on such issue is that let there be a French company which operates a car-share application for customers only in Morocco, Algeria, and Tunisia but processing the personal data in France as a data controller. In that case, although the collection of personal data takes place in non-EU countries since the processing activity is carried out through an establishment in the EU, GDPR will apply to such processing activity, as per Article 3(1).12

Consequently, if a Turkish company established outside the EU but has a representative or establishment in EU, processes personal data in the name of that Turkish company, that Turkish company in Turkey would be subject to the GDPR due to its representative/establishment processing activities.

B. Article 3(2) – Targeting Criterion

The controversial part of the Article 3 is obviously the second paragraph since GDPR has the power to be applicable to data controllers and processors even though they are not established in the European Union. Article 3(2) states that "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."13

These two paragraphs allow GDPR to have an "extraterritorial" scope. Article 3(2) is not explicit enough for interpretation method of extraterritoriality scope, therefore Recital 23 and 24 play an important role for further interpretation. Yet, before giving more detail about the recitals, one needs to remember that recitals are non-binding sources; in other words they can be used for interpretation of the articles but not for binding authority such as provisions of a legislation.

First of all, in order GDPR to be applied to data controller or processor outside of EU, the data subject of such processing activity should be an EU resident natural person. The regulation makes this clear that the application is not based on citizenship but residence. If such controllers' or processors' processing activities for offering goods and services or monitoring the data subjects targets the EU residents, then GDPR will be a factor that they have to deal with.

Although the determining factor for application of targeting criterion is data subject being in the EU pursuant to Article 3(2), EDPB considers that the nationality or legal status of data subject may not have any impact on the territorial scope of GDPR. Furthermore, according to EDPB, in order Article 3(2) to be applicable, data subjects shall be in the EU at the moment when the relevant trigger activity of targeting criterion takes places.14

EDPB also underlines in the Guideline that, mere processing activity of data subjects in the EU, without the element of "targeting" individuals in the EU, is not sufficient for GDPR to be applicable. For instance, if a U.S. citizen downloads and uses a news application offered by a U.S. company -which is exclusively directed to the U.S. market- while being in Europe, processing of such U.S. citizen's personal data via the news application by the U.S. company is not subject to GDPR15; since such processing lacks the targeting element as per Article 3(2).

Another example would be that, a bank in Taiwan which does not direct its activities to EU market, is only active in Taiwan, however, has German customers residing in Taiwan. In this case, GDPR is not applicable to processing the personal data of such German customers since the bank's processing is not related to a specific order directed at individuals in the EU.16

According to EDPB -since there is no specific offer to data subjects in the EU- GDPR is not applicable in the case where a Canadian immigration authority processes the personal data of EU citizens for examining their visa application at the time of entering Canadian territory.17

B.1. Offering Goods and Services

Recital 23 states that "mere accessibility of controller's, processor's or an intermediary's website in the union, of an e-mail address or of other contact details, or use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods and services to data subjects in the Union". Although the Recital 23 provides a general frame on interpretation regarding sale and service contract, further clarifications concerning Article 3(2)(b) is also given in the Guideline.

EDPB states in the Guideline that, a combination of some of the factors listed below could be considered for determining whether an offer of goods or services is directed at data subjects in EU

  • "The EU or at least one Member State is designated by name with reference to the good or service offered;
  • The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union, or the controller or processor has launched marketing and advertisement campaigns directed at an EU country audience;
  • The international nature of the activity at issue, such as certain tourist activities;
  • The mention of dedicated addresses or phone numbers to be reached from an EU country;
  • The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example ".de", or the use of neutral top-level domain names such as ".eu";
  • The description of travel instructions from one or more other EU Member States to the place where the service is provided;
  • The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;
  • The use of a language or a currency other than that generally used in the trader's country, especially a language or currency of one or more EU Member states;
  • The data controller offers the delivery of goods in EU Member States."18

An example would be, a website, based and controlled in Turkey, offers services for creating, editing, printing and shipping family photos to UK, France, Benelux countries and Germany. Such website is available in some of the Member State languages (English, French, Dutch, German) and indicates that payments could be made in Euros and Sterling. Since more than one abovementioned indication are present in such case, it is clear that GDPR is applicable to such Turkish website as per Article 3(2)(a).19

On the other hand, in the case where a private company based in Monaco processes the personal data of its employees for salary payment purposes, who are French and Italian residents, GDPR is not applicable to such processing as per Article 3(2)(a) since salary payment could not be considered as an offer of goods and services.20

As a result, if Turkish companies specifically and purposely provide services or offer goods to the EU residents through their activities and if such data subjects are in the EU at the time of such activities, at this point such Turkish companies will be in the scope of GDPR. In order to determine whether the Turkish companies' activities truly target the EU residents, the recitals and the list published in the Guideline could be considered as a first round checklist before going into any further analysis.

B.2. Monitoring

On the processing of personal data via monitoring, Recital 24 states that "monitoring could be considered as whether natural persons are tracked on the internet ... in order to take decisions concerning her/him or analyze or predict her/his personal preferences, behaviors and attitudes". According to EDPB, any collection or any analysis of personal data of data subjects in the EU would not automatically be considered as "monitoring". Data controller's purpose for such processing activity and behavioral analysis or profiling techniques should also be taken into account within the scope of Article 3(2)(b).21 Even though GDPR does not provide any explanation regarding the targeting degree of monitoring neither in Article 3(2)(b) nor in Recital 24, EDPB states that data controller should have a specific purpose for collection and there should be subsequent reuse in order a collection to be deemed as "monitoring".22 In addition to targeting, such monitoring activities should be taken place within EU in order Article 3(2)(b) to be applicable.

To shed light on activities, which would be deemed as monitoring, EDPB gives examples in the Guideline which are as follows;

  • "Behavioural activities,
  • Geo-localization activities in particular for marketing purposes,
  • Online tracking through the use of cookies or other tracking techniques such as fingerprint,
  • personalized diet and health analytics services online,
  • CCTV,
  • Market surveys and other behavioural studies based on individual profiles,Monitoring or regular reporting on an individual's health profiles."23

An example would be that a marketing company, established in the USA, analyzes customers' movements shopped in a shopping center in France through WI-FI tracking. Since the marketing company monitors individuals' behavior with such activity and the underlying data subjects' behaviors take place in the EU, the marketing company -as a data controller- would be subject to Article 3(2)(b) of GDPR.24


To interpret what would be ECJU's way of practice for further cases in relation with GDPR, a judgement given within the scope of consumer protection law in Europe (which has several key features about data privacy law) can be useful. In CJEU's judgement, the rationale on deciding whether a trader has directed its activity to the Member State of the consumer's domicile shall be as follows; "whether, before the conclusion of any contract with consumer, it is apparent from those website and the trader's overall activity that the trader was envisaging doing business with consumers domiciled in one or more Member States, including the Member States of that consumer's domicile, in the sense that it was minded to conclude a contract with them"25. That in mind, it may be interpreted as the CJEU is likely to involve decisions regarding GDPR by reviewing the business activities whether they intentionally conduct business with data subject in EU and clearly explicit it even before the conclusion of contract.

Moreover, Paul de Hert and Michal Czerniawski state that GDPR does not apply if EU law and data controller's activity do not have a strong relationship, except when the data subject is an EU resident. Moreover, Guideline shows that EDPB is in the same line with them. They assert that an opposite interpretation of this could be beyond the legitimacy principle, an excessive extraterritoriality. According to them, GDPR could not be applicable where a European tourist doing shopping on Fifth Avenue in New York26. The only connection between the shop and EU law is that tourist being EU resident, however, such situation has a stronger connection with the U.S. law (according to territoriality principle).27

On the other hand, a U.S. provider's cloud-based-services offering to individuals in the EU, even where such services require no payments and the provider has no establishment in EU but includes processing of personal data and targets the EU28 could be an acceptable example of the extraterritorial scope of GDPR.

A case on profiling the EU resident's data is related with Nest Labs Inc., which is a company based in California but has offices in London. Considering that UK was in the EU when Directive was in force- Nest Labs Inc. was offering goods in EU with Nest thermostats and such thermostats were collecting personal data such as at what room temperature that "you like eating breakfast"29. The Directive was applied to Nest Labs Inc. and GDPR should also be applicable considering the fact that Nest Labs Inc. both offers to sell such thermostats to EU markets and profiling data subjects with their temperature preferences in their houses.


Article 3 is an ambiguous provision of GDPR at the same time one of the most important ones. Since territorial scope is not explicitly regulated in GDPR, EDPB's Guideline brought further clarification on the ambiguity of the territorial scope.

A company established outside of EU, such as a Turkish company, must comply with rules of GDPR in the case where such company has (a) a representative -having a stable arrangement and having effective activity through such stable arrangements for the non-EU company- or (b) an establishment -whose activities are inextricably linked with the non-EU company- in the EU who is processing personal data in the name of such non-EU company.

Furthermore, a company established outside of EU must comply with GDPR if such non-EU company intentionally offers goods and services to EU residents or monitors the data subjects, who are in the EU as explained above. Multiple criteria mentioned in the Recital 23, 24 and in the Guideline may be used as a first round checklist to determine whether such non-EU company would be subject to GDPR and has to comply with GDPR.

According to "you may be subject to EU law only if you target" rationale30, companies who actually have the intention to reach to persons in the EU have to consider conforming with GDPR at first, since GDPR has severe penal sanctions; such as 4% of companies total global turnover.


1. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3

2. Article 1 of the General Data Protection Regulation

3. Article 4 of the General Data Protection Regulation

4. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 3

5. Article 3 of the General Data Protection Regulation

6. Recital 22 of the General Data Protection Regulation

7. CJEU 13 May 2014, C-131,712 (Google Spain v. Costeja Gonzalez), para. 56.

8. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3

9. CJEU 1 October 2015, C-230/14 (Weltimmo), para. 30.

10. CJEU 1 October 2015, C-230/14 (Weltimmo), para. 29.

11. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 7

12. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 8

13. Article 3 of the General Data Protection Regulation

14. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 13

15. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14

16. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14

17. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 14

18. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 15

19. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 16

20. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 16,17

21. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18

22. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18

23. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18

24. Guideline 3/2018 on the territorial scope of the GDPR (Article 3), pg 18

25. Svantesson, D. (2015) Extraterritoriality and targetting in EU data privacy law, International Data Privacy Law Vol.5, No.4

26. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3

27. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3

28. Gregory Voss, B. The Busines Lawyer; Vol 72, Winter 2016-2017

29. Nest Labs 2016a.

30. Hert, P. and Czerniawski, M. (2016). Expanding the European data protection scope beyond territory. International Data Privacy Law, 2016 Vol.6, No.3

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions