Module 4 · Territorial and material scope
Article 3 sets territorial scope - and only one criterion need be met: the establishment criterion (Art 3(1)), the targeting/monitoring criterion (Art 3(2)), or public international law (Art 3(3)). Article 2 sets material scope (automated, or non-automated in a filing system) with key exclusions. Guidelines 3/2018 and Opinion 04/2024 refine establishment and the main establishment.
| Criterion | Article | Trigger |
|---|---|---|
| Establishment | Art 3(1) | Processing by an EU-established controller/processor, regardless of where the processing occurs |
| Targeting / monitoring | Art 3(2) | Controller/processor not established in the EU processing data of subjects in the EU, where activities relate to offering goods or services or monitoring behaviour |
| Public international law | Art 3(3) | Where Member State law applies by virtue of public international law |
Processor status alone does NOT create controller establishment. A controller is not deemed established in the EU just because it uses an EU-based processor - per Guidelines 3/2018.
Opinion 04/2024 (Article 4(16)(a), main establishment): the "place of central administration" can be the main establishment where the decision-making power exists. The one-stop-shop applies with cross-border processing and a clear authority structure.
Material scope (Article 2) applies to processing wholly or partly by automated means (note: this is not the same as automated decision-making) and to non-automated processing that forms part of a filing system.
- Exclusion: activities outside the scope of EU law
- Exclusion: law enforcement and public security
- Exclusion: purely personal or household activities