Applicability TestEU

EU GDPR Applicability Test

Decide whether GDPR applies, which role you have, and what to document.

Focus: Article 2 (material scope), Article 3 (territorial scope), Article 27 (representative), and practical outcomes.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

A GDPR applicability decision must be defensible: it should be tied to facts (where processing happens, who is established, and what data subjects you target) and it should produce a concrete output (what controls and evidence you need). This page provides an execution-ready applicability test and the deliverables that make the decision auditable.

Section 1

Step 1 - Material scope (Article 2): are you processing personal data?

Start with the core question: is there processing of personal data (automated or part of a filing system) in your activity?

Then validate whether any Article 2 exclusions are relevant (these often appear in public sector or law enforcement contexts).

  • List processing activities (products, HR, marketing, analytics, support, vendor operations).
  • Identify data categories (identifiers, usage, location, sensitive/special category).
  • Check for exclusions in Article 2(2) and document your reasoning if you rely on one.
Section 2

Step 2 - Territorial scope (Article 3): establishment vs targeting

Article 3 has three key paths: (1) processing in the context of an EU establishment, (2) targeting EU data subjects (goods/services or monitoring behavior), and (3) Member State law applying by public international law.

Your goal is not to win a debate-it's to map facts to the Article 3 path and keep evidence of that mapping.

  • Establishment criterion (Article 3(1)): document EU presence and whether processing is in the context of EU activities.
  • Targeting criterion (Article 3(2)): document intentional offering of goods/services to EU data subjects or monitoring behavior in the EU.
  • Representative (Article 27): if you're not established in the EU but Article 3(2) applies, assess representative obligations and exceptions.
Section 3

Step 3 - Role mapping: controller vs processor (what changes in practice)

Role mapping is a control design step: it determines who owns transparency, DSAR handling, DPIAs, and vendor oversight.

Most failures happen when teams label themselves a processor but behave like a controller, or the reverse.

  • Controller: determines purposes and essential means; owns lawful basis, notices, DSAR outcomes, and DPIA decisions.
  • Processor: processes on behalf of a controller; must follow Article 28 contract requirements and implement appropriate security.
  • Joint controllers: if purposes/means are decided together, you likely need a joint-controller arrangement and allocation of responsibilities.
Section 4

Borderline scenarios (fast checks that prevent scope mistakes)

Use these as red flag prompts in scoping workshops. If any apply, you likely need deeper analysis and stronger documentation.

  • US company with EU customers and localized EU marketing pages (targeting signals).
  • Analytics/behavioral monitoring of EU visitors for profiling or advertising (monitoring).
  • EU-based employees or contractors with HR systems hosted outside the EU (establishment context + transfers).
  • B2B SaaS with EU accounts where usage data and support tickets include personal data.
  • Vendor ecosystem where sub-processors are in third countries (transfer chain risk).
Section 5

Outputs: what you should produce after the applicability test

A good applicability test ends with artifacts, not a sentence. These outputs are what make the decision explainable and actionable.

  • Applicability memo: the Article 3 path (with facts and evidence) and the role mapping per processing activity.
  • Processing inventory scope baseline: which systems and teams are in scope now.
  • Control backlog: DSAR workflow, breach playbook, DPIA triggers, transfer safeguards, vendor contract updates.
  • Evidence index: where your key compliance evidence lives and how fast it can be exported.
Recommended next step

Turn EU GDPR Applicability Test into an operational assessment

Assessment Autopilot can take EU GDPR Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU GDPR Applicability Test

Start from EU GDPR Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR Applicability Test.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.