The European General Data Protection Regulation ("GDPR"), which came into force over six months ago, illustrates a significant evolution in European data protection law marked by the extension of territorial scope. On November 23, the European Data Protection Board ("EDPB"), previously known as the Article 29 Working Party, issued new draft guidelines ("Guidelines") relating to the territorial scope of the GDPR. These draft Guidelines adopted by the EDPB are open for public consultation and feedback until 1January 18, 2019.
Article 3 GDPR sets out the territorial scope of the GDPR based on two criteria, namely the "establishment" criterion in Article 3(1) and the "targeting" criterion in Article 3(2). Where either one of these criteria is satisfied, the relevant Articles of the GDPR will apply to the processing of personal data by the controllers and/or processors concerned.