Extra-territorial reach under the GDPR
Produced in partnership with Bridget Treacy and Aaron Simpson of Hunton Andrews Kurth
Extra-territorial reach under the GDPR

The following Financial Services guidance note Produced in partnership with Bridget Treacy and Aaron Simpson of Hunton Andrews Kurth provides comprehensive and up to date legal information covering:

  • Extra-territorial reach under the GDPR
  • Key guidance
  • Territorial scope under the Data Protection Directive
  • Territorial scope under the GDPR
  • Complying with the GDPR
  • Appointing a representative
  • Extraterritorial enforceability of the GDPR
  • Exceptions
  • Conclusions

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

Although the text of the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) refers throughout to the ‘Union’, it is stated on page one of the GDPR that it is a text ‘with EEA relevance’, meaning all provisions are intended to be applicable in respect of all EEA members, not just those that also have EU membership. Now the GDPR is incorporated into the EEA Agreement and in force, references to EU Member States in the GDPR can generally be read to also include EEA members. For further information, see the European Free Trade Association’s GDPR tracker. References to the ‘EU’ in regulatory