Material & Territorial Scope of the GDPR (Articles 2–3)

Domain four asks two big questions: who is covered by the GDPR, and who answers for compliance? It carries between eight and eighteen scored questions. We start with scope, because before any obligation applies, the GDPR has to apply at all.

There are two scope tests. Material scope, in Article 2, asks what kinds of processing the GDPR covers. Territorial scope, in Article 3, asks who is caught geographically, and the surprising answer is that it can reach far beyond Europe's borders.

Get both tests right and you can quickly decide whether the GDPR even applies to a scenario, which is often the first move on an exam question.

Material scope is in Article 2. The GDPR applies to the processing of personal data wholly or partly by automated means, and to manual processing of data that forms, or is intended to form, part of a filing system. So both computers and structured paper files are in.

But Article 2 carves out exemptions. The household exemption excludes processing by a natural person in the course of a purely personal or household activity, your private contacts list, for example, though running a public blog would not qualify. The GDPR also does not apply to processing by competent authorities for law enforcement, that is the Law Enforcement Directive 2016/680's territory; to activities outside the scope of EU law such as national security; or to the EU institutions themselves, which have their own regulation overseen by the EDPS.

Know those carve-outs, because the exam uses them as distractors.

Territorial scope is in Article 3, and it has two limbs. The first, Article 3(1), is the establishment test: the GDPR applies to processing in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing itself takes place in the EU. Establishment means the effective and real exercise of activity through stable arrangements; the legal form does not matter, and even a single representative can count.

The key exam point is that the location of the processing is not decisive, what matters is whether it happens in the context of an EU establishment's activities. So a company with a real EU branch is caught even if its servers sit elsewhere.

The second limb, Article 3(2), is the famous extraterritorial reach, and it is heavily tested. Even a controller or processor with no establishment in the EU is caught if it processes the personal data of individuals who are in the EU in connection with either of two activities. Limb (a): offering goods or services to those individuals, whether or not payment is required, think a US online store that ships to Europe, prices in euros, and uses European languages.

Limb (b): monitoring the behaviour of those individuals as far as that behaviour takes place within the EU, think tracking and profiling EU web visitors. Merely having a website accessible from Europe is not enough; there must be evidence of intent to target or monitor EU residents. That intent test is exactly what the exam probes.

If a non-EU organisation is caught by the targeting test in Article 3(2), Article 27 generally requires it to designate, in writing, a representative in the EU. The representative is established in a member state where the relevant data subjects are, and serves as a point of contact for supervisory authorities and for individuals exercising their rights, so people are not forced to chase a company across the world. There are exemptions: for example, where the processing is occasional, does not involve large-scale special-category data, and is unlikely to result in a risk to individuals, and for public authorities.

The exam may give you a non-EU company targeting EU customers and ask what it must do; appointing an Article 27 representative is the answer.

So scope comes down to two tests. Material scope under Article 2 covers automated and filing-system processing, minus carve-outs for purely household activity, law enforcement, national security, and the EU institutions. Territorial scope under Article 3 has the establishment test, which catches any processing tied to an EU establishment wherever it physically happens, and the targeting test, which reaches non-EU organisations that offer goods or services to, or monitor the behaviour of, people in the EU.

And those non-EU targeters usually must appoint an Article 27 representative. Next, we turn from who is covered to who answers, the accountability tools: DPIAs, records, privacy by design, and the DPO. First, go test yourself on scope.