Article 3 explains the territorial scope of the regulation, meaning where the law applies geographically. It clarifies that the rules apply not only to organisations based in the UK or EU, but also to organisations outside these areas if they process personal data of individuals who are located in the UK or EU.
The article states that the regulation applies when organisations offer goods or services to individuals in the UK/EU or monitor their behaviour, such as through online tracking, cookies, or profiling. This ensures that people’s data is protected even when dealing with international companies and online platforms.
Overall, Article 3 prevents organisations from avoiding data protection responsibilities by operating from outside the UK or EU, ensuring strong and consistent protection of personal data regardless of location.
| Section / Point | Summary | Notes / Examples |
|---|---|---|
| General territorial scope | Regulation applies to organisations **established in the UK/EU** processing personal data. | Companies, public authorities, non-profits based in the UK/EU. |
| Extra-territorial scope | Applies to organisations **outside the UK/EU** if they **offer goods/services** or **monitor behaviour** of individuals in the UK/EU. | Example: an online store in the US selling to UK customers, or a website tracking UK users with cookies. |
| Offering goods or services | Data processing falls under the regulation if aimed at **UK/EU individuals**, regardless of payment. | Free apps, subscription services, e-commerce platforms. |
| Monitoring behaviour | Processing that tracks individuals’ behaviour within the UK/EU is covered. | Online profiling, targeted advertising, web analytics. |
| Purpose | Ensures individuals’ personal data is protected **even by non-UK/EU companies**. | Prevents organisations from avoiding GDPR responsibilities by being outside the region. |
Article 1 – Article 2, Article 3, Article 4, Article 5, Article 6, Article 7 , Article 8