One of GDPR’s most significant and frequently misunderstood features is its extraterritorial reach. Article 3 extends GDPR’s application beyond organisations established in the EU to organisations anywhere in the world if they offer goods or services to EU/EEA data subjects, or monitor the behaviour of EU/EEA data subjects. This means that a business based in Singapore, Indonesia, the United States, or any other non-EU country can be subject to GDPR obligations — including the obligation to appoint an EU representative and to comply with all data subject rights, transparency, and accountability requirements — simply by having EU customers or EU website visitors.
Awareness of GDPR’s extraterritorial scope remains lower than it should be among non-EU businesses. Many have built their processing practices, privacy policies, and data governance frameworks with reference only to their local data protection law. When they begin serving EU markets — or when a DPA investigates them in response to a data subject complaint — they discover that GDPR has applied to their processing for years, and that their compliance posture is inadequate.
Article 3: When GDPR Applies to Non-EU Organisations
ARTICLE 3 EXTRATERRITORIAL TRIGGERS
| Trigger | Article | When It Applies | Examples |
|---|---|---|---|
| Offering goods or services to EU/EEA data subjects | 3(2)(a) | The non-EU organisation intentionally offers its goods or services to individuals in the EU/EEA, even if no payment is involved | E-commerce site shipping to EU countries; SaaS platform with EU users; app with EU language and pricing; B2B services sold to EU companies where the processing involves employees or end users in the EU |
| Monitoring the behaviour of EU/EEA data subjects | 3(2)(b) | The non-EU organisation tracks individuals’ behaviour on the internet, including profiling, to analyse or predict preferences, behaviour, or attitudes | Analytics tracking of EU website visitors; behavioural advertising targeting EU users; IoT monitoring of EU individuals; tracking-based personalisation of content served to EU users |
| Establishment in the EU | 3(1) | The organisation has an establishment (office, subsidiary, or other stable arrangement) in the EU/EEA; processing in the context of that establishment’s activities | Even if processing occurs outside the EU, if it is in the context of an EU establishment’s activities, GDPR applies to that processing |
| KEY IDEA | The EDPB’s Guidelines 3/2018 on territorial scope confirm that the ‘offering goods or services’ trigger does not require a formal offer — it requires that the non-EU organisation’s intention to offer services to EU data subjects is apparent. Relevant indicators include: the website is accessible in an EU language; EU currency is accepted; delivery to EU countries is enabled; EU-specific terms and conditions are published. The presence of EU website visitors alone, without any of these targeting indicators, is generally not sufficient to trigger Article 3(2)(a) — but once targeting indicators are present, GDPR applies regardless of the organisation’s establishment location. |
Article 27: The EU Representative Requirement
Article 27 requires non-EU organisations subject to GDPR under Article 3(2) to designate in writing a representative in the EU. The representative acts as a point of contact for EU data subjects and EU DPAs. The representative is not a DPO — it is a contact and liaison function, not a compliance oversight function. The representative can be an individual or a company, and must be established in one of the EU member states in which the data subjects whose data is processed are located.
ARTICLE 27 EU REPRESENTATIVE — KEY REQUIREMENTS
| Requirement | Detail | Common Question |
|---|---|---|
| Designation in writing | The representative must be formally designated in writing; a service agreement or letter of appointment is required | Can an employee of the non-EU organisation’s EU customer act as representative? Generally no — the representative must be specifically mandated by the non-EU organisation |
| Established in the EU | Must be established in a member state where EU data subjects affected by the processing are located | Must the representative be in every EU country where data subjects are located? No — established in one member state where data subjects are located; one representative can cover multiple member states |
| Contact point for data subjects | Data subjects may contact the representative to exercise their GDPR rights; representative must be contactable and able to escalate rights requests to the non-EU organisation | The representative receives and forwards rights requests; the non-EU organisation remains responsible for responding within the 30-day deadline |
| Contact point for DPAs | DPAs may contact the representative as a point of contact for investigations and enforcement actions; representative may be liable alongside the controller for non-compliance | Representative liability is a significant consideration for representatives taking on this role; representative should have a clear indemnity and information flow agreement with the non-EU organisation |
| Publication | Representative’s details must be published in the privacy notice; data subjects and DPAs must be able to identify and contact the representative | Include representative’s name, address, and contact details in the privacy notice; make clear they are the EU point of contact for GDPR purposes |
| Exemptions | Organisations whose processing is occasional, low-risk, and does not involve special category data or Art. 22 processing may be exempt; public authorities are exempt | Exemption is narrow; any systematic EU processing — including e-commerce, SaaS, marketing — is unlikely to qualify; seek legal advice before claiming exemption |
Building GDPR Compliance from Outside the EU
For a non-EU organisation newly subject to GDPR, the compliance programme must address all the same obligations as an EU-established organisation: lawful basis, transparency, data subject rights, security, breach notification, processor management, and accountability. The practical difference is the absence of an EU establishment — which means certain operational controls (DPA relationship, data subject rights fulfilment, breach notification) must be managed remotely, usually through the EU representative or a dedicated compliance team.
NON-EU ORGANISATION GDPR COMPLIANCE ROADMAP
| Phase | Priority Actions | Timeline |
|---|---|---|
| Phase 1: Assessment | Confirm that Article 3(2) applies; scope the EU processing (identify which activities affect EU data subjects); assess current compliance posture against GDPR requirements; identify critical gaps | Weeks 1–4 |
| Phase 2: Foundations | Designate EU representative; appoint or designate DPO if required; draft/update privacy notice in EU languages; establish GDPR-compliant consent mechanism for EU users if applicable | Weeks 4–8 |
| Phase 3: Documentation | Build or update RoPA covering EU-scope processing; assess and document lawful basis for each processing activity; conduct LIAs where legitimate interests relied on | Weeks 6–12 |
| Phase 4: Rights and breach | Implement data subject rights intake and response procedure; establish breach detection and 72-hour notification pathway; create breach register | Weeks 8–14 |
| Phase 5: Processors and transfers | Audit EU-related processors; execute DPAs; identify cross-border transfers from EU data subject data; implement Chapter V mechanisms where required | Weeks 10–16 |
| Phase 6: Ongoing compliance | Annual compliance review; training for staff handling EU personal data; RoPA and notice maintenance; breach register maintenance; EU representative relationship management | Ongoing; annual review cycle |
Which EU DPA Has Jurisdiction Over Non-EU Organisations?
For non-EU organisations without an EU establishment, there is no main establishment and no lead supervisory authority under the one-stop-shop mechanism. The competent DPA is the DPA of the member state in which data subjects are affected by the non-EU organisation’s processing, or the DPA of the member state in which the EU representative is established. Non-EU organisations may therefore face enforcement actions from multiple DPAs in different member states.
DPA JURISDICTION FOR NON-EU ORGANISATIONS
| Scenario | Competent DPA |
|---|---|
| Non-EU organisation, EU representative in Germany, data subjects only in Germany | German DPA (Bundesdatenschutzbeauftragter / state DPA) — single competent authority |
| Non-EU organisation, EU representative in Ireland, data subjects across multiple EU member states | Multiple DPAs may be competent; Irish DPC as the state where representative is established is a natural contact point; no formal one-stop-shop mechanism applies to non-EU organisations |
| Non-EU organisation without EU representative (non-compliant with Art. 27) | Any DPA of a member state where data subjects are affected may assert jurisdiction; enhanced enforcement risk from non-appointment of representative |
| Non-EU organisation subject to a data subject complaint in France | CNIL (French DPA) has jurisdiction to investigate the complaint regardless of where the organisation or representative is established |
| BITLION INSIGHT | The most common GDPR compliance gap for non-EU organisations serving EU markets is not a deliberate decision to avoid GDPR — it is a failure to appreciate that GDPR applies at all. Article 3(2) is unambiguous, but awareness of it outside the EU legal community is patchy. The consequences of non-compliance for a non-EU organisation are real: EU DPAs have investigated and fined non-EU organisations; EU data subjects file complaints against companies regardless of where they are established; and the reputational damage of a DPA enforcement action can close EU market access effectively. The investment in GDPR compliance for non-EU organisations targeting EU markets should be treated as a market entry cost, not an optional compliance overhead. |