# Territorial scope (GDPR) — legal context bundle

> Curated from overview.legal on 2026-07-14. Canonical page: https://overview.legal/topics/territorial-scope
> Sources are cited per item. Verify against the official texts before relying on them.

When the GDPR applies geographically: establishment in the Union, targeting (offering goods or services), and behavioural monitoring by non-EU controllers (Article 3 GDPR).

## Legislation (full text of key provisions)

### Territorial scope

*Source: GDPR, gdpr-art-3-en, 2016-04-27 — https://overview.legal/posts/90198*

### Representatives of controllers or processors not established in the Union

*Source: GDPR, gdpr-art-27-en, 2016-04-27 — https://overview.legal/posts/90546*

### Recital 22 — extraterritorial scope of AI regulation

*Source: AI Act, aiact-rec-22-en, 2024-06-12 — https://overview.legal/posts/93726*

In light of their digital nature, certain AI systems should fall within the scope of this Regulation even when they are not placed on the market, put into service, or used in the Union. This is the case, for example, where an operator established in the Union contracts certain services to an operator established in a third country in relation to an activity to be performed by an AI system that would qualify as high-risk. In those circumstances, the AI system used in a third country by the operator could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union. To prevent the circumvention of this Regulation and to ensure an effective protection of natural persons located in the Union, this Regulation should also apply to providers and deployers of AI systems that are established in a third country, to the extent the output produced by those systems is intended to be used in the Union. Nonetheless, to take into account existing arrangements and special needs for future cooperation with foreign partners with whom information and evidence is exchanged, this Regulation should not apply to public authorities of a third country and international organisations when acting in the framework of cooperation or international agreements concluded at Union or national level for law enforcement and judicial cooperation with the Union or the Member States, provided that the relevant third country or international organisation provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals. Where relevant, this may cover activities of entities entrusted by the third countries to carry out specific tasks in support of such law enforcement and judicial cooperation. Such framework for cooperation or agreements have been established bilaterally between Member States and third countries or between the European Union, Europol and other Union agencies and third countries and international organisations. The authorities competent for supervision of the law enforcement and judicial authorities under this Regulation should assess whether those frameworks for cooperation or international agreements include adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals. Recipient national authorities and Union institutions, bodies, offices and agencies making use of such outputs in the Union remain accountable to ensure their use complies with Union law. When those international agreements are revised or new ones are concluded in the future, the contracting parties should make utmost efforts to align those agreements with the requirements of this Regulation.

### Recital 80

*Source: GDPR, gdpr-rec-80-en, 2016-04-27 — https://overview.legal/posts/91675*

Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body. The representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority. The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation. The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation. Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

### Recital 25

*Source: GDPR, gdpr-rec-25-en, 2016-04-27 — https://overview.legal/posts/91565*

Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as in a Member State's diplomatic mission or consular post.

### Recital 82

*Source: AI Act, aiact-rec-82-en, 2024-06-12 — https://overview.legal/posts/93846*

To enable enforcement of this Regulation and create a level playing field for operators, and, taking into account the different forms of making available of digital products, it is important to ensure that, under all circumstances, a person established in the Union can provide authorities with all the necessary information on the compliance of an AI system. Therefore, prior to making their AI systems available in the Union, providers established in third countries should, by written mandate, appoint an authorised representative established in the Union. This authorised representative plays a pivotal role in ensuring the compliance of the high-risk AI systems placed on the market or put into service in the Union by those providers who are not established in the Union and in serving as their contact person established in the Union.

### Recital 114

*Source: NIS2, nis2-rec-114-en, 2022-12-14 — https://overview.legal/posts/96756*

In order to take account of the cross-border nature of the services and operations of DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms, only one Member State should have jurisdiction over those entities. Jurisdiction should be attributed to the Member State in which the entity concerned has its main establishment in the Union. The criterion of establishment for the purposes of this Directive implies the effective exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect. Whether that criterion is fulfilled should not depend on whether the network and information systems are physically located in a given place; the presence and use of such systems do not, in themselves, constitute such main establishment and are therefore not decisive criteria for determining the main establishment. The main establishment should be considered to be in the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken in the Union. This will typically correspond to the place of the entities’ central administration in the Union. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment should be considered to be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined, the main establishment should be considered to be in the Member State where the entity has the establishment with the highest number of employees in the Union. Where the services are carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings.

### Recital 116

*Source: NIS2, nis2-rec-116-en, 2022-12-14 — https://overview.legal/posts/96760*

Where a DNS service provider, a TLD name registry, an entity providing domain name registration services, a cloud computing service provider, a data centre service provider, a content delivery network provider, a managed service provider, a managed security service provider or a provider of an online marketplace, of an online search engine or of a social networking services platform, which is not established in the Union, offers services within the Union, it should designate a representative in the Union. In order to determine whether such an entity is offering services within the Union, it should be ascertained whether the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary’s website or of an email address or other contact details, or the use of a language generally used in the third country where the entity is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of customers or users who are in the Union, could make it apparent that the entity is planning to offer services within the Union. The representative should act on behalf of the entity and it should be possible for the competent authorities or the CSIRTs to address the representative. The representative should be explicitly designated by a written mandate of the entity to act on the latter’s behalf with regard to the latter’s obligations laid down in this Directive, including incident reporting.

### Recital 113

*Source: NIS2, nis2-rec-113-en, 2022-12-14 — https://overview.legal/posts/96754*

Entities falling within the scope of this Directive should be considered to fall under the jurisdiction of the Member State in which they are established. However, providers of public electronic communications networks or providers of publicly available electronic communications services should be considered to fall under the jurisdiction of the Member State in which they provide their services. DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms should be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union. Public administration entities should fall under the jurisdiction of the Member State which established them. If the entity provides services or is established in more than one Member State, it should fall under the separate and concurrent jurisdiction of each of those Member States. The competent authorities of those Member States should cooperate, provide mutual assistance to each other and, where appropriate, carry out joint supervisory actions. Where Member States exercise jurisdiction, they should not impose enforcement measures or penalties more than once for the same conduct, in line with the principle of ne bis in idem.

### Recital 36

*Source: DSA, dsa-rec-36-en, 2022-10-19 — https://overview.legal/posts/95469*

The territorial scope of such orders to act against illegal content should be clearly set out on the basis of the applicable Union or national law enabling the issuance of the order and should not exceed what is strictly necessary to achieve its objectives. In that regard, the national judicial or administrative authority, which might be a law enforcement authority, issuing the order should balance the objective that the order seeks to achieve, in accordance with the legal basis enabling its issuance, with the rights and legitimate interests of all third parties that may be affected by the order, in particular their fundamental rights under the Charter. In particular in a cross-border context, the effect of the order should in principle be limited to the territory of the issuing Member State, unless the illegality of the content derives directly from Union law or the issuing authority considers that the rights at stake require a wider territorial scope, in accordance with Union and international law, while taking into account the interests of international comity.

## Case law

### Google LLC v CNIL

*Source: CJEU, C-507/17, 2019-09-24 — https://overview.legal/posts/51476 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0507&ref=51476*

Right to delisting does not require global de-referencing under EU law.

### Google Spain SL and Google Inc. v AEPD and Mario Costeja González

*Source: CJEU, C-131/12, 2014-05-13 — https://overview.legal/posts/51472 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131&ref=51472*

Established the right to be forgotten (delisting). Search engines are data controllers.

### Google LLC, venant aux droits de Google Inc. v Commission nationale de l’informatique et des libertés (CNIL)

*Source: CJEU, 2019-09-24 — https://overview.legal/posts/6125 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0507&ref=6125*

Territorial scope of EU data protection law: The present case falls within the territorial scope of GDPR because “it is apparent from the information provided in the order for reference, first, that Google’s establishment in French territory carries on, inter alia, commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concerned, and, second, that that search engine must, in view of, inte

### UNABHäNGIGES LANDESZENTRUM FüR DATENSCHUTZ SCHLESWIG-HOLSTEIN v. WIRTSCHAFTSAKADEMIE SCHLESWIG-HOLDSTEIN GmbH

*Source: CJEU, 2018-06-05 — https://overview.legal/posts/6136 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62016CJ0210&ref=6136*

Territorial Scope / Concept of “establishment”: Facebook Germany is responsible for promoting and selling advertising space and carries on activities addressed to persons residing in Germany. Given that a social network such as Facebook generates a substantial part of its income from advertisements posted on the web pages set up and accessed by users, and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Faceboo

### GC and Others v CNIL

*Source: CJEU, C-136/17, 2019-09-24 — https://overview.legal/posts/51475 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62017CJ0136*

Conditions for delisting sensitive data from search results.

### GOOGLE SPAIN SL V. AEPD (THE DPA) & MARIO COSTEJA GONZALEZ, 13.May.2014 (“GOOGLE v. Spain”)

*Source: CJEU, 2014-05-13 — https://overview.legal/posts/6157 — original: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62012CJ0131&ref=6157*

Concept of ‘establishment’: An ‘establishment’ exists where an organization engages in the effective and real exercise of activity through stable arrangements in a EU Member State. It is not require that the processing be carried out by the establishment itself. The processing of personal data by the not-established controller suffices if it is “carried out in the context of the activities” of the establishment. In this case, the activities of the search engine and those of its establishment in

## Guidance

### Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

*Source: EDPB, edpb-guidelines-on-the-territorial-scope-of-the-gdpr, 2025-11-21 — https://overview.legal/posts/38074 — original: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf*

The European Data Protection Board (EDPB) issued Guidelines 3/2018 to clarify the territorial scope of the GDPR under Article 3, addressing the "establishment" criterion in Article 3(1), the "targeting" criterion in Article 3(2), and the representative requirements under Article 27. The guidelines emphasize that Article 3 applies to specific processing activities rather than to legal entities as a whole, meaning a single controller or processor may have some processing activities subject to the GDPR and others not. The EDPB adopted Version 2.0 on 12 November 2019 following public consultation, providing detailed interpretation to ensure consistent application by data protection authorities across the EU.

### Guidelines 07/2020 on the concepts of controller and processor in the GDPR

*Source: EDPB, edpb-guidelines-on-the-concepts-of-controller-and-processor-in-the-gdpr, 2025-11-21 — https://overview.legal/posts/38069 — original: https://edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf*

The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...

### Guidelines 02/2024 on Article 48 GDPR

*Source: EDPB, edpb-guidelines-022024-on-article-48-gdpr, 2025-11-21 — https://overview.legal/posts/38045*

Article  48  GDPR  provides  that:  ' Any  judgment  of  a  court  or  tribunal  and  any  decision  of  an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data  may  only  be  recognised  or  enforceable  in  any  manner  if  based  on  an  international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...

### Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679

*Source: EDPB, edpb-guidelines-on-codes-of-conduct-and-monitoring-bodies, 2025-11-21 — https://overview.legal/posts/38051 — original: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct.pdf*

The European Data Protection Board (EDPB) issued these guidelines to clarify the framework for codes of conduct and monitoring bodies under Articles 40 and 41 of the GDPR. The guidelines address the admissibility, content, and approval requirements for draft codes of conduct, as well as the criteria and accreditation process for monitoring bodies responsible for verifying compliance with such codes. This version (2.0) was adopted on 4 June 2019 following public consultation.

### Guidelines 01/2022 on data subject rights - Right of access

*Source: EDPB, edpb-guidelines-on-data-subject-rights---right-of-access, 2025-11-21 — https://overview.legal/posts/38055 — original: https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf*

The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.

### Guidelines 9/2022 on personal data breach notification under GDPR

*Source: EDPB, edpb-guidelines-on-personal-data-breach-notification-under-gdpr, 2025-11-21 — https://overview.legal/posts/38058 — original: https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf*

The EDPB adopted Guidelines 9/2022 (Version 2.0, 28 March 2023) to update and replace the prior WP250 guidance on personal data breach notification under Articles 33 and 34 of the GDPR. The guidelines address the definition and types of personal data breaches, controller and processor notification obligations, the concept of a controller becoming "aware" of a breach, cross-border and non-EU establishment breach scenarios, and the conditions under which notification to supervisory authorities and data subjects is or is not required.

## Recent developments

### Greek SA fines Clearview AI for EUR 20M

*Source: IAPP, 2022-10-20 — https://overview.legal/posts/6252 — original: https://iapp.org/news/a/greek-dpa-imposes-20m-euro-fine-on-clearview-ai-for-unlawful-processing-of-personal-data#entry-1098*

A rundown of the fine on IAPP: https://iapp.org/news/a/a-rundown-of-the-greek-dpas-clearview-ai-fine-findings

## Literature

### Perspectives for Open Source AI

*Source: i-lex, 2026-07-07 — https://overview.legal/posts/83512 — original: https://doi.org/10.60923/issn.1825-1927/23382*

The world’s first most comprehensive law regulating artificial intelligence, the EU Artificial Intelligence Act, has been enacted in June 2024 and entered into force in August 2024. The AI Act aims to provide transparency and ensure safe use of AI systems by introducing obligations and requirements for developers and deployers based on the risk posed by AI systems. Despite the long legislation process that launched in 2020 and multiple negotiations, the final version of the Act includes a number

## Related topics

- **Personal Data** — https://overview.legal/topics/persoonsgegevens
  Information relating to identified or identifiable natural persons
- **Processing** — https://overview.legal/topics/verwerking
  Any operation performed on personal data
- **Controllers** — https://overview.legal/topics/controllers
  Entities that determine purposes and means of processing
- **Application Scope: Temporal and Territorial Dimensions** — https://overview.legal/topics/application-scope-temporal-territorial
  This topic is needed to capture the specific provisions regarding when (temporal) and where (territorial) the AI Act applies, which are distinct from general sc
- **Representatives** — https://overview.legal/topics/representatives
  Representatives of controllers not established in the EU
- **Supervision** — https://overview.legal/topics/toezicht
  Oversight and enforcement by supervisory authorities

---
Generated by overview.legal · https://overview.legal/topics/territorial-scope · 2026-07-14
