Usantis

EDPB Guidelines 3/2018, summarised

The EDPB’s Guidelines 3/2018 explain how the GDPR’s territorial scope (Article 3) works in practice. Here is what they say, in plain English, and what it means for non-EU companies.

What the guidelines cover

Guidelines 3/2018 are the European Data Protection Board’s authoritative interpretation of the GDPR’s territorial scope — Article 3. They explain when the GDPR applies to an organisation, and they are the reason so many non-EU companies fall within it. The two routes into scope are the establishment criterion and the targeting criterion.

The establishment criterion (Article 3(1))

The GDPR applies to processing carried out “in the context of the activities of an establishment” in the EU — regardless of where the processing itself happens. The EDPB reads “establishment” broadly: even a single representative or a stable arrangement can count, but a mere website accessible from the EU does not. If this applies to you, you are in scope under 3(1) and do not separately appoint an Article 27 representative for that processing.

The targeting criterion (Article 3(2))

For organisations without an EU establishment, the GDPR still applies where they target people in the EU in one of two ways:

  • Offering goods or services to people in the EU (whether or not payment is required), and
  • Monitoring the behaviour of people that takes place within the EU.

This targeting criterion is what brings most non-EU SaaS, e-commerce and app businesses into scope — and triggers the Article 27 representative requirement.

What shows you are “targeting” the EU

The EDPB lists factors that, taken together, indicate an intention to offer services to people in the EU — no single one is decisive:

  • Using an EU language or currency not used in your home country
  • Mentioning EU users, customers or countries
  • Offering delivery to EU member states
  • EU-targeted marketing or an EU country-code domain

Mere accessibility of a website from the EU, or the incidental presence of an EU language (e.g. English on a US site), is not enough on its own.

What it means for you

If the targeting criterion applies, you are within the GDPR and — unless a narrow exception fits — you must appoint an EU representative under Article 27. See our requirements guide or check your situation with the compliance checker. The full guidelines are published by the European Data Protection Board.

More resources

GDPR Glossary

Plain-English definitions of the GDPR terms that come up around EU representation.

Article 27 GDPR, explained

The full text of Article 27 with a plain-English explanation of each paragraph.

Data Breach Checklist

A step-by-step checklist for the first 72 hours after a personal data breach.

All resources

General information, not legal advice. Last updated 2026-05-23.

Need an EU representative?

Usantis is your official EU representative under Article 27 GDPR — €99/month, set up in about ten minutes.

Start your setupTake the 60-second checker