Article 3(2): the targeting and monitoring tests
Article 3(2) is the long-arm rule for organisations not established in the EU. It catches their processing of personal data of data subjects who are in the Union where the activities relate to (a) the offering of goods or services to them (even if no payment is required), or (b) the as far as it takes place in the Union. The targeting limb requires intentional targeting (mere accessibility of a website is not enough); the monitoring limb does not require any intention and so is wider than the targeting limb.
Article 3(2) reaches organisations with no EU establishment where they process data of data subjects who are in the Union in connection with two alternative limbs. Note: payment by the data subject is not required for the targeting limb.
| Feature | Art 3(2)(a) - Targeting | Art 3(2)(b) - Monitoring |
|---|---|---|
| What it catches | Offering of goods or services to people in the EU | Monitoring (profiling) of behaviour of people in the EU |
| Payment required? | No - irrespective of whether payment is required | N/A |
| Intention required? | Yes - must intentionally target, not inadvertently/incidentally | No intention required - so this limb is wider |
| Geographic condition | Goods/services offered to people in the EU | Behaviour monitored must take place in the Union |
| Typical actors | E-commerce, online services | Adtech networks, e-commerce, app developers |
Targeting (3(2)(a)). Recital 23 asks whether it is apparent that the controller envisages offering services to data subjects in the Union. The EDPB stresses the rule targets intentional, not inadvertent or incidental, contact. Mere accessibility of a website from the EU is not enough, nor is a contact address accessible from the EU, nor using the same language as the home country. Example: a US-only news app accessed by a US tourist travelling in Europe is not caught.
- Naming the EU or member states in reference to the goods/services
- Use of an EU language
- Marketing/advertising campaigns directed at EU audiences
- Ability to place orders in EU languages
- Referencing travel instructions from the EU
- Paying a search engine to facilitate access by people in the EU
- Dedicated addresses or phone numbers for people in the EU
- Use of a top-level EU domain (e.g. '.de' or '.eu')
General admissions requiring English/German are not caught - the language requirement applies to everyone, with no distinction for EU students. But a summer course specifically advertised to German and Austrian universities shows a clear intention to offer services to people in the Union, triggering the GDPR.
Monitoring (3(2)(b)). Recital 24: 'monitoring' specifically includes tracking individuals online to create profiles, including to make decisions about them or analyse/predict their preferences, behaviours and attitudes. The behaviour must (i) relate to a data subject in the Union and (ii) take place in the Union. No intention to monitor is required. Example: a Canadian app developer with no EU establishment that monitors EU users' behaviour is caught. EDPB examples of monitoring include behavioural advertising and geolocalisation, online tracking via cookies and device fingerprinting, personalised diet/health analytics, CCTV, market surveys based on profiles, and regular reporting on an individual's health. Offline monitoring is also within scope.