GDPR Brief: To Whom Does the GDPR Apply?

The GDPR has a global territorial reach.

Article 3 states that the GDPR applies to the processing of personal data in the context of the activities of an establishment (e.g. office, site) of an organization in the European Economic Area (EEA, which constitutes the 28 EU Member States as well as Iceland, Liechtenstein, and Norway), regardless of whether the processing takes place in the EEA or not.

The GDPR also applies to the processing of personal data of data subjects (e.g. research participants) situated in the EEA by a person or organization not established in the EEA, where the processing activities are related to:

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EEA; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the EEA.

Subject to a few exceptions, under Article 27, organizations subject to the GDPR’s long-arm jurisdictional reach have to appoint a “representative” in the EEA to act as their Europe-facing point of contact for individuals and local data protection authorities. The representative must be in one of the EEA Member States where the data subjects, whose data are being processed, are situated. If an organization conducts, for example, clinical trials in different Member States at different times, it may need to change its representative from time to time.

Under the “offering goods or services” test, it must be apparent that the organization intends to reach individuals in the EEA – e.g. by targeting through localized websites in an EEA language (not also an international language), with localized URLs or which have local examples. This could apply to a university in the US offering genomic testing to people in the EEA via localized websites.

If an organization monitors individuals in the EEA, then it is subject to the GDPR under the second limb. This would apply to data collected via wearables. In this case, the GDPR always applies – there is no need for the organization to be targeting individuals in the EEA.

It remains unclear if the GDPR will apply in a context where consumers, customers, or research participants of non-EEA-based organizations temporarily reside in the EEA (on holiday, work, or otherwise) and have some (incidental transmissions) of their data collected through digital technology, such as wearables, mobile phones, or other personal electronic devices.

Further Reading
  • Weltimmo v NAIH (CJEU) (C-230/14)
  • Google Spain SL, Google Inc. v AEPD, Mario Costeja González (CJEU) (C-131/12)
  • Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller(CJEU) (Joined cases C-585/08 and C-144/09)

Relevant GDPR Provisions

  • Article 3 – Territorial scope of the GDPR
  • Recital 22 – Data processing by an establishment in the EU
  • Recital 23 – GDPR applicable to processors not established in the EU if data subjects within the EU are targeted
  • Recital 24 – GDPR applicable to processors not established in the EU if data subjects within the EU are profiled
  • Recital 25 – GDPR applicable to processors due to public international law
  • Article 27 – Representatives of controllers or processors not established in the EU


Edward Dove is a Lecturer in Law at the University of Edinburgh. His primary research interests are in the areas of regulation of biomedical research, research ethics oversight, health-related data access and sharing, and governance of international research collaboration.


Subscribe to the GA4GH GDPR Briefs.

For a list of all briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.