EU GDPR—extra-territorial reach
Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth
EU GDPR—extra-territorial reach

The following Information Law practice note Produced in partnership with Aaron Simpson of Hunton Andrews Kurth and Bridget Treacy of Hunton Andrews Kurth provides comprehensive and up to date legal information covering:

  • EU GDPR—extra-territorial reach
  • Key guidance
  • Territorial scope under the Data Protection Directive
  • Territorial scope under the EU GDPR
  • Article 3(1)—establishment
  • Article 3(2)—‘goods or services’ test
  • Article 3(2)—‘monitoring’ test
  • Complying with the EU GDPR
  • Appointing a representative in the EEA
  • Extraterritorial enforceability of the EU GDPR
  • More...

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the EU GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

In summary, organisations with an establishment in the EEA that process personal data and that cannot rely on an exception under the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) will be within the scope of the EU GDPR. Those organisations without a physical presence in the EEA but that process personal data, whether regularly or sporadically, should consider whether they are likely to be caught by the EU GDPR and required to appoint a representative in the EEA.

This Practice Note covers:

  1. key guidance

  2. territorial scope of preceding EU data protection laws

  3. territorial scope of the EU GDPR

  4. extra-territorial enforceability of the EU GDPR

  5. consequences of

Related documents:

Popular documents