The first question every organisation should answer about GDPR is the simplest to ask and the easiest to get wrong: does it actually apply to us? Because GDPR reaches well beyond Europe’s borders, the answer is “yes” for far more businesses than realise it — and knowing where you stand is the starting point for any GDPR compliance.
This guide walks through the Article 3 scope tests in plain terms, with examples of who is caught, who is not, and how to assess your own position.
The two-part scope test
GDPR’s reach is defined by Article 3, and it is wider than most people expect. There are two main ways to fall in scope. The first is the establishment test: if you process personal data in the context of an establishment in the EU, GDPR applies — no matter where the actual processing happens.
The second is the targeting test: even with no EU presence at all, GDPR applies if you offer goods or services to people in the EU, or monitor their behaviour. Together these mean a great many non-EU organisations are caught.
Test 1: establishment in the EU
If your organisation has an establishment in the EU — an office, branch, or stable arrangement — and you process personal data in the context of its activities, GDPR applies to that processing. Crucially, it does not matter whether the data is actually processed inside or outside the EU.
“Establishment” is interpreted broadly: it is about the real and effective exercise of activity through stable arrangements, not the legal form. Even a single representative or branch can be enough if it is connected to the processing.
Free resource
The Ultimate Guide to GDPR
Confirm where GDPR applies to you and scope a proportionate programme.
Test 2: offering goods or services to people in the EU
Under Article 3(2)(a), an organisation outside the EU is caught if it offers goods or services to people in the EU — whether or not payment is required. A free app with EU users counts just as much as a paid product.
The key is intent to target. Simply being accessible from the EU is not enough; there must be evidence you envisaged offering to EU customers — which we look at next.
What counts as “targeting” the EU?
Regulators look at practical signals that you intend to reach EU customers. These include using an EU language or currency, mentioning EU customers or countries, offering shipping to the EU, using an EU top-level domain, or running marketing aimed at EU audiences.
No single factor is decisive, but several together strongly suggest targeting. If a French customer can browse in French, pay in euros and have goods shipped to Paris, you are clearly offering services to people in the EU.
Test 3: monitoring behaviour
Article 3(2)(b) catches organisations that monitor the behaviour of people in the EU. This is especially relevant online: tracking visitors with analytics, advertising cookies, profiling or location tracking can bring you in scope even if you never sell anything to them.
So a content site outside the EU that runs behavioural advertising or detailed analytics on its EU visitors is monitoring them, and GDPR applies to that activity.
It is about location, not citizenship
A common misconception is that GDPR protects “EU citizens”. It does not turn on nationality at all. GDPR protects people who are in the EU when their data is processed — a US tourist using your service from Berlin is protected; an EU citizen living in and using your service from the US generally is not under the targeting test.
This distinction matters when you assess scope: focus on where people are and whether you are targeting or monitoring them, not on their passports.
Controllers and processors both count
GDPR applies to both controllers (who decide why and how data is processed) and processors (who process on a controller’s behalf). A non-EU cloud provider hosting an EU controller’s data is a processor in scope of GDPR, with its own direct obligations.
So you can be pulled into GDPR not only through your own customers but through the role you play in someone else’s processing chain.
Typical examples of who is in scope
Real-world examples make this concrete: a US SaaS company with European customers; an Asian e-commerce store that ships to the EU and accepts euros; a global media site that profiles EU visitors for advertising; a processor anywhere that handles EU residents’ data for a client.
In each case there is no EU office, yet GDPR applies because the organisation targets or monitors people in the EU.
Who is generally not in scope
Not everyone is caught. Purely personal or household activity — your private address book, for instance — is excluded. So is an organisation with no EU establishment that genuinely does not target or monitor anyone in the EU, even if its site is technically reachable from Europe.
The line is intent and effect: passive accessibility is not enough; deliberate offering or monitoring is.
The representative requirement
If you are caught by the targeting or monitoring test and have no establishment in the EU, you generally must appoint an EU representative — a person or entity in a member state where some of your data subjects are, who acts as a local contact point for individuals and regulators.
There are limited exemptions for occasional, low-risk processing, but for most in-scope businesses a representative is a practical necessity, named in the privacy notice.
Why scope is easy to underestimate
Because GDPR does not require an EU office, many organisations wrongly assume it does not apply to them. Analytics on EU visitors, a handful of EU customers, or an EU-language marketing page can all bring you in scope — often before anyone in the business has thought about compliance.
The safest posture is to assume scope is broad and check carefully, rather than assume you are exempt because you are not based in Europe.
How to assess your own scope
Work through the tests in order. Do you have any EU establishment connected to your processing? Do you target people in the EU through language, currency, shipping or marketing? Do you monitor EU visitors through analytics, advertising or profiling? A yes to any of these means GDPR applies to that activity.
Document your assessment either way — deciding you are out of scope is itself a decision the accountability principle expects you to be able to justify.
Getting it right
Scope is the foundation of everything else: lawful bases, rights, security and records all follow from being in scope. Getting it wrong — in either direction — is costly, so it is worth a careful, documented assessment before you build the rest of your programme.
ISpectra Technologies helps organisations determine exactly where GDPR applies to them, appoint representatives where needed, and scope a proportionate programme around the result.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
What about the UK?
Since Brexit, the UK has its own UK GDPR with a parallel scope test: it applies to organisations established in the UK, and to those outside the UK that target or monitor people in the UK. So a business serving customers on both sides of the Channel can be in scope of the EU GDPR and the UK GDPR at the same time.
If that describes you, run the scope test twice — once for the EU and once for the UK — and remember you may need a representative in each territory if you have no local establishment.