---
title: "Does the EU GDPR apply outside the EU under Article 3?"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/territorial-scope"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/territorial-scope"
author: "Sorena AI"
description: "A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU GDPR"
  - "GDPR Article 3"
  - "territorial scope"
  - "EU representative"
  - "offering goods or services"
  - "monitoring behavior"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Does the EU GDPR apply outside the EU under Article 3?

A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.

*FAQ* *EU GDPR*

## GDPR Article 3 Territorial Scope

Use GDPR Article 3 as a processing-activity test, not as a blanket label for every non-EU business that touches EU data.

The grounded triggers are processing in the context of an EU establishment, offering goods or services to people in the Union, monitoring behavior in the Union, and the linked Article 27 representative requirement.

This FAQ answers when GDPR Article 3 brings a processing activity within the Regulation's territorial scope. It separates EU establishment, non-EU targeting, behavior monitoring, and representative evidence so teams avoid unsupported extraterritorial shortcuts.

## Does GDPR Article 3 apply to a non-EU organization?

It can, but only through the Article 3 triggers. First, GDPR applies to processing carried out in the context of the activities of an establishment of a controller or processor in the Union, even if the processing itself takes place outside the Union.

Second, for a controller or processor not established in the Union, GDPR applies only where the processing relates to offering goods or services to data subjects in the Union or monitoring their behavior as far as that behavior takes place in the Union. The EDPB stresses that the Article 3 assessment is made for the particular processing activity, not by labeling the entire legal entity as globally in scope.

- Start with Article 3(1): identify any EU establishment and explain how the processing is carried out in the context of that establishment's activities.
- If there is no EU establishment trigger, test Article 3(2)(a): whether the processing relates to offering goods or services to data subjects who are in the Union.
- Separately test Article 3(2)(b): whether the processing relates to monitoring behavior that takes place within the Union.
- Avoid unsupported conclusions such as "EU user equals GDPR" or "non-EU company equals out of scope"; document the actual processing activity and the trigger that applies.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Provides the binding Article 3 territorial-scope triggers and Article 27 representative rule.
- [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains the establishment and targeting criteria and states that Article 3 is assessed against the relevant processing activity.

## What facts show offering goods or services to people in the Union?

For Article 3(2)(a), the key question is whether the controller or processor appears to envisage offering goods or services to data subjects in one or more EU Member States. Payment is not required.

A website being reachable from the Union, listing an email address, or using a language generally used in the organization's own country is not enough by itself. Stronger evidence can include naming EU Member States in the offer, EU-directed advertising, EU delivery, EU customer references, EU languages or currencies tied to ordering, EU contact details, or an EU top-level domain.

- Keep screenshots or product records showing EU countries, delivery areas, booking availability, account creation, or checkout paths.
- Record language, currency, domain, ad-campaign, search-marketing, and customer-reference signals together; one weak signal may not be enough on its own.
- Distinguish intentional EU offering from incidental use by a person who happens to travel into the Union.
- Map the evidence to the processing activity, such as account registration, payment, shipping, customer support, personalization, or marketing.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 3(2)(a) applies to offering goods or services to data subjects in the Union, whether or not payment is required.
- [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Lists practical targeting indicators and warns that mere website accessibility in the Union is insufficient by itself.

## What counts as monitoring behavior in the Union?

Article 3(2)(b) applies where the processing relates to monitoring data subjects' behavior and that behavior takes place within the Union. The EDPB says monitoring requires attention to the controller's purpose, especially later behavioral analysis or profiling; not every collection or analysis of data from people in the Union is automatically monitoring.

Grounded examples of monitoring indicators include behavioral advertising, geolocation for marketing, online tracking through cookies or fingerprinting, personalized health or diet analytics, CCTV, individual-profile market studies, and monitoring or regular reporting on a person's health status.

- Identify the behavior observed, where it takes place, and the personal data used to observe it.
- Record whether tracking, profiling, prediction, segmentation, targeted advertising, or individualized reporting is part of the purpose.
- Separate ordinary service logging from behavior monitoring when there is no later behavioral analysis or profiling purpose.
- For processors, document whether their processing is related to the controller's EU-targeting or EU-monitoring activity.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 3(2)(b) covers monitoring behavior where the behavior takes place within the Union.
- [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains that monitoring depends on purpose and behavioral analysis or profiling, and gives examples such as cookies, fingerprinting, geolocation, CCTV, and health-status monitoring.

## When is an EU representative needed?

Where Article 3(2) applies, a non-EU controller or processor must designate a representative in the Union unless an Article 27(2) exemption applies. The GDPR exemptions are narrow: certain occasional, low-risk processing without large-scale special-category or criminal-offence data, or processing by a public authority or body.

The representative must be established in one of the Member States where the relevant data subjects are located. The EDPB also says designation of a representative does not itself create an EU establishment under Article 3(1), and it does not remove the controller's or processor's own responsibility or liability.

- Keep the written representative mandate and the Member State rationale tied to where affected data subjects are located.
- Keep representative contact details aligned with privacy notices and other Article 13 or 14 information given to data subjects.
- Keep enough processing-record information available for the representative to produce records when addressed under Article 27 and Article 30.
- Do not rely on the representative as a substitute controller, processor, or DPO without checking the EDPB conflict guidance.

Sources for this answer:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 27 requires a written representative for Article 3(2) controllers or processors and states the exemptions, location rule, mandate, and liability reservation.
- [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains representative designation, accessibility, privacy-notice disclosure, record availability, and the distinction from an Article 3(1) establishment.

## Primary sources

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Binding source for GDPR Article 3 territorial scope and Article 27 representative obligations.
  - Quote: "Territorial scope"
- [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Official EDPB interpretation for establishment, targeting, monitoring, processor linkage, and representatives under Articles 3 and 27.
  - Quote: "territorial scope of the GDPR"

## Topic Guides

- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.

*Recommended next step*

*Placement: before sources*

## Use this FAQ to document Article 3 scope decisions

Sorena can help convert establishment, offering, monitoring, and representative facts into cited scope records for GDPR work.

- [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about Article 3 establishment, EU targeting, monitoring behavior, and representative evidence using the cited sources on this page.
- [Review a GDPR territorial-scope record](/contact.md): Check whether your Article 3 conclusion is tied to the right processing activity, evidence, and representative decision.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/territorial-scope