Introduction and overview of scope
Chapter 5 sets out two filters that decide whether the GDPR applies at all: territorial scope (which organisations, by location or by who they target) and material scope (which kinds of processing). Territorial scope catches EU-established organisations and, on a long-arm extraterritorial basis, non-EU organisations that offer goods or services to, or monitor, people in the EU. Material scope is broad, but some processing is carved out (e.g. purely domestic processing, or processing covered by another EU instrument such as Regulation 2018/1725 for EU institutions).
The chapter answers two separate questions. First, territorial scope: does the GDPR reach this organisation at all? Second, material scope: even if an organisation is in scope, is this particular kind of processing one the GDPR governs? Both filters must be satisfied for the GDPR to apply.
| Filter | Governing Article | Question it answers |
|---|---|---|
| Territorial scope | Article 3 | Is this organisation caught - by EU establishment, or by targeting/monitoring people in the EU? |
| Material scope | Article 2 | Is this kind of processing within the GDPR, or carved out (e.g. domestic, law enforcement, EU institutions)? |
The EDPB makes clear Article 3 is assessed per data processing activity. The fact that some of an organisation's activities are caught does not mean all of them are.