--- title: "GDPR Applicability Test (Article 2-3)" canonical_url: "https://www.sorena.io/artifacts/eu/gdpr/applicability-test" source_url: "https://www.sorena.io/artifacts/eu/gdpr/applicability-test" author: "Sorena AI" description: "A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting." keywords: - "GDPR applicability test" - "GDPR territorial scope Article 3" - "GDPR material scope Article 2" - "GDPR establishment criterion" - "GDPR targeting criterion" - "GDPR representative Article 27" - "controller vs processor GDPR" - "GDPR applicability" - "territorial scope" - "Article 3" - "controller vs processor" - "representative" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # GDPR Applicability Test (Article 2-3) A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting. *Applicability Test* *EU* ## EU GDPR Applicability Test Decide whether GDPR applies, which role you have, and what to document. Focus: Article 2 (material scope), Article 3 (territorial scope), Article 27 (representative), and practical outcomes. A GDPR applicability decision must be defensible: it should be tied to facts (where processing happens, who is established, and what data subjects you target) and it should produce a concrete output (what controls and evidence you need). This page provides an execution-ready applicability test and the deliverables that make the decision auditable. ## Step 1 - Material scope (Article 2): are you processing personal data? Start with the core question: is there processing of personal data (automated or part of a filing system) in your activity? Then validate whether any Article 2 exclusions are relevant (these often appear in public sector or law enforcement contexts). - List processing activities (products, HR, marketing, analytics, support, vendor operations). - Identify data categories (identifiers, usage, location, sensitive/special category). - Check for exclusions in Article 2(2) and document your reasoning if you rely on one. ## Step 2 - Territorial scope (Article 3): establishment vs targeting Article 3 has three key paths: (1) processing in the context of an EU establishment, (2) targeting EU data subjects (goods/services or monitoring behavior), and (3) Member State law applying by public international law. Your goal is not to win a debate-it's to map facts to the Article 3 path and keep evidence of that mapping. - Establishment criterion (Article 3(1)): document EU presence and whether processing is in the context of EU activities. - Targeting criterion (Article 3(2)): document intentional offering of goods/services to EU data subjects or monitoring behavior in the EU. - Representative (Article 27): if you're not established in the EU but Article 3(2) applies, assess representative obligations and exceptions. ## Step 3 - Role mapping: controller vs processor (what changes in practice) Role mapping is a control design step: it determines who owns transparency, DSAR handling, DPIAs, and vendor oversight. Most failures happen when teams label themselves a processor but behave like a controller, or the reverse. - Controller: determines purposes and essential means; owns lawful basis, notices, DSAR outcomes, and DPIA decisions. - Processor: processes on behalf of a controller; must follow Article 28 contract requirements and implement appropriate security. - Joint controllers: if purposes/means are decided together, you likely need a joint-controller arrangement and allocation of responsibilities. ## Borderline scenarios (fast checks that prevent scope mistakes) Use these as red flag prompts in scoping workshops. If any apply, you likely need deeper analysis and stronger documentation. - US company with EU customers and localized EU marketing pages (targeting signals). - Analytics/behavioral monitoring of EU visitors for profiling or advertising (monitoring). - EU-based employees or contractors with HR systems hosted outside the EU (establishment context + transfers). - B2B SaaS with EU accounts where usage data and support tickets include personal data. - Vendor ecosystem where sub-processors are in third countries (transfer chain risk). ## Outputs: what you should produce after the applicability test A good applicability test ends with artifacts, not a sentence. These outputs are what make the decision explainable and actionable. - Applicability memo: the Article 3 path (with facts and evidence) and the role mapping per processing activity. - Processing inventory scope baseline: which systems and teams are in scope now. - Control backlog: DSAR workflow, breach playbook, DPIA triggers, transfer safeguards, vendor contract updates. - Evidence index: where your key compliance evidence lives and how fast it can be exported. *Recommended next step* *Placement: after the applicability result* ## Turn EU GDPR Applicability Test into an operational assessment Assessment Autopilot can take EU GDPR Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU GDPR Applicability Test](/solutions/assessment.md): Start from EU GDPR Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU GDPR](/contact.md): Review your current process, evidence gaps, and next steps for EU GDPR Applicability Test. ## Primary sources - [GDPR full text - Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary legal text for Articles 2, 3, and 27. - [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Official guidance on establishment, targeting, and monitoring under Article 3. - [EDPB Guidelines 07/2020 on controller and processor concepts](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en?ref=sorena.io) - Official guidance for role mapping once scope is established. ## Related Topic Guides - [EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls](/artifacts/eu/gdpr/checklist.md): An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures. - [EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence](/artifacts/eu/gdpr/compliance.md): An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports. - [EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts](/artifacts/eu/gdpr/faq.md): Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data. - [EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index](/artifacts/eu/gdpr/requirements.md): A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14). - [GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack](/artifacts/eu/gdpr/breach-notification-72-hours.md): An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines. - [GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence](/artifacts/eu/gdpr/data-subject-rights-and-dsar-workflow.md): A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope. - [GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring](/artifacts/eu/gdpr/deadlines-and-compliance-calendar.md): A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul. - [GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)](/artifacts/eu/gdpr/dpia-and-risk-management.md): A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms. - [GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring](/artifacts/eu/gdpr/international-transfers-and-sccs.md): A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs). - [GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance](/artifacts/eu/gdpr/lawful-basis-and-consent.md): A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky. - [GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence](/artifacts/eu/gdpr/penalties-and-fines.md): A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift. - [GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs](/artifacts/eu/gdpr/processor-contracts-and-vendor-management.md): A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles. - [GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips](/artifacts/eu/gdpr/record-of-processing-activities-template.md): A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields. - [GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)](/artifacts/eu/gdpr/gdpr-vs-ccpa.md): A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models. - [GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence](/artifacts/eu/gdpr/gdpr-vs-uk-gdpr.md): A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/gdpr/applicability-test