Public international law, EU representatives and Brexit
Article 3(3) applies the GDPR where a controller not established in the Union processes in a place where member state law applies by virtue of public international law - for example, EU member state embassies/consulates, or ships and aircraft registered to a member state. It has little practical commercial significance. Separately, the EU representative (Article 27) is a contact point for non-EU controllers/processors caught by Article 3(2) - but appointing one does not make the organisation 'established'. Post-Brexit, the UK has enacted identical provisions, swapping 'member state' for 'United Kingdom', so an organisation can be caught by both EU and UK regimes at once.
Article 3(3) covers, for example, embassies and consulates of EU member states, and aircraft and ships to which the GDPR applies by treaty - e.g. a ship registered to a member state when in international waters. The text notes it has little practical significance in commercial/business contexts.
Appointing an Article 27 EU representative does NOT make a controller or processor 'established' in the EU under Article 3(1). Likewise, appointing an EU processor does not make a non-EU controller subject to the GDPR. These are classic exam traps.
Brexit. The UK enacted identical provisions, replacing 'member state' with 'United Kingdom'. So an organisation with establishments in both an EU member state and the UK, or one targeting/monitoring people in both, will be subject to both EU and UK data protection law.
| Situation | Laws that apply |
|---|---|
| Establishments in both an EU member state and the UK, processing in the context of each | Both EU and UK data protection law |
| EU-established organisation that targets/monitors individuals in the UK | Both EU and UK law (and the mirror is true for a UK-established organisation targeting/monitoring people in the EU) |