Art. 3 high Severity GDPR European Union

GDPR Article 3 — Territorial scope

Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
GDPR applies to any organization processing EU residents' data — even companies outside the EU.

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.

Related Enforcement Cases

British Airways — GDPR Data Breach Fine (£20M) £20M
Marriott International — GDPR Fine (£18.4M) £18.4M