Extraterritorial Scope of GDPR: The effects of the Regulation on non-EU businesses
By Ioanna Michalopoulou, Lawyer LLM* The EU General Data Protection Regulation (GDPR) is not explicitly a global law, but it might be on the way to becoming a de facto law beyond the boundaries of Europe, at least for a number of businesses. GDPR, which was enforced on the 25 th of May 2018, affects all businesses based in EU territory acting as data controllers or data processors of personal data of data subjects who are located within the Union, similar to the previous European data protection law (Directive 95/46/EC). An important question, then, arises as to whether businesses that are based outside the European Union and process personal data, fall under the GDPR’s scope. The European legislature, in an effort to protect data subjects from the arbitrary processing of their personal information by non-EU businesses, expanded the territorial scope of the Regulation. Article 3 GDPR states that the “GDPR applies to the processing of personal data of data subjects who ar