Pursuant to Article 3, the GDPR applies if personal data is processed by (1) an “establishment” in the EU or (2) a controller or processor not established in the EU that “targets” or “monitors” data subjects in the EU. Many companies have expressed confusion about what it means to have an “establishment” in the EU. For instance, are companies subject to the GDPR solely because they use an EU processor? Similarly, are companies without an EU presence subject to the GDPR simply because they have EU customers or clients? What qualifies as “monitoring” subjects in the EU? The draft Guidelines attempted to address many of these open questions.

The Meaning of ‘Establishment’

Pursuant to Article 3(1), the GDPR applies to data processing carried out in the context of the activities of an “establishment” of an EU-based controller or processor, regardless of whether the processing takes place in the EU. The threshold for when a company has such an establishment is low enough that a single employee or agent in the EU may, in certain circumstances, qualify. For this reason, U.S. companies cannot assume that the GDPR does not apply to them because they do not have a registered office branch or subsidiary in the EU.