Article 3(1): EU-established controllers and processors
Under Article 3(1) the GDPR applies to processing 'in the context of the activities of an establishment of a controller or a processor in the Union', regardless of whether the processing itself happens in the EU or not. There is no statutory definition of establishment, but Recital 22 gives it a broad meaning: the effective and real exercise of activity through stable arrangements, with legal form (branch, subsidiary) irrelevant. Two questions must both be answered yes: (1) is there an establishment in the EU? and (2) is the processing carried out 'in the context of the activities' of that establishment? Key cases: Weltimmo (broad establishment) and Google Spain (the 'inextricable link' test).
Article 3(1) needs a two-step analysis. Step 1 - is there an establishment in the EU? Recital 22 makes this broad: effective and real exercise of activity through stable arrangements, and legal form is not determinative. In Weltimmo the CJEU said even a real and effective activity, even a minimal one through stable arrangements is enough, and a single representative may suffice. Weltimmo (incorporated in Slovakia) was held established in Hungary.
- The Weltimmo website was mainly/entirely directed at Hungary (Hungarian properties, Hungarian language)
- Weltimmo had a representative in Hungary for administrative and judicial proceedings
- Weltimmo had opened a Hungarian bank account to recover debts
- Weltimmo used a Hungarian letter box for everyday business affairs
Step 2 - is the processing 'in the context of the activities' of that establishment? In Google Spain the CJEU found Google Spain's advertising activities were inextricably linked to the US search engine's processing, because the advertising made the search engine economically profitable and the engine enabled the advertising. So Article 3(1) applied even though Google Spain did not itself run the search functionality.
The nationality of the data subjects is irrelevant. Appointing an EU processor does NOT make a non-EU controller subject to the GDPR. Appointing an Article 27 EU representative does NOT make you 'established'. Being in the same corporate group is not by itself an 'inextricable link'. The mere presence of an EU employee is not enough unless the processing is in the context of that employee's activities.
| Scenario | GDPR apply to whom? |
|---|---|
| Mexican retailer (Mexico-only market) appoints a Spanish processor | Not the Mexican controller; yes the Spanish processor (it is EU-established) |
| Chinese e-commerce site with a Berlin office running EU marketing campaigns | Yes - processing 'in the context of' the German establishment |
| French controller runs a car-sharing app only in Morocco/Algeria/Tunisia but processes in France | Yes - processing is in the context of the French controller's activities; data subjects' location is not determinative |
| EU employee present, but processing relates only to the controller's non-EU activities | No - mere employee presence is not enough |