GDPR Article 3: Territorial scope

All 99 Articles Chapter 1: General Provisions

The GDPR's reach is extra-territorial. It applies to organisations established in the EU, and to those outside the EU that offer goods or services to, or monitor, people in the EU.

Key points

Covers processing by an EU establishment, wherever the processing happens.
Covers non-EU organisations targeting or monitoring people in the EU.
Non-EU controllers may need to appoint an EU representative (Article 27).

Read the official text on EUR-Lex

27Representatives of controllers not established in the Union 44General principle for transfers 2Material scope 1Subject matter and objectives

Learn the context

GDPR Key Changes

In the news

Meta hit with record €1.2 billion fine over EU–US data transfers
TikTok fined €530 million over data transfers to China

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 3?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer

Back to all articles

Article 3 — Territorial scope

Key points

Related articles