European Data Protection Board (“EDPB”) published on 16 November 2018 the long-awaited Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (“GDPR”). As those with even a cursory interest in the matter knew, a company not established in the EU can still be within the reach of GDPR’s strict rules. But exactly when that is the case was not entirely clear from GDPR’s provisions and recitals. With these guidelines EDPB aims to clarify the criteria for determining the territorial scope of GDPR.
