On 23 November 2018, the European Data Protection Board (the “EDPB“) published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The guidelines are only in draft form and subject to consultation but they do go some way to clarifying key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3, meaning that there remain gaps where organisations will need to exercise judgment without any comfort that their interpretation will align with that of the regulators. In particular, there would seem to still be question marks around the application of Article 3(2)(a) and what actually constitutes the offering of goods and services to individuals in the EU. Continue reading