EU Citizen

GDPR: It’s Not Just About EU Citizens, or Residents

It is with some chagrin that I write this post. I fell for the very thing that I have warned my clients about for decades; “Read [regulation name] carefully and NEVER make assumptions, and if you don’t know something, ask someone who does!” Here I am now having to admit that I thought the GDPR was only about EU citizens.

It’s not.

The WORD ‘citizen’ never even appears in the Regulation. Not once. In fact, I’ll go so far as to say that it’s not even about EU residents, because that word never appears in the Regulation either. Neither of these words is what GDPR means by “in the Union“.

I take some very limited solace from the fact that I have never claimed to be a privacy expert, but my ongoing mission of pushing everyone to actually read the GDPR carefully makes me something of a hypocrite. So apologies for that, I should have known better.

But even now that I have read the relevant Recitals and Articles, and asked real experts for guidance, I am still only able to make assumptions. I know that somewhere, someone(s) knows exactly what all of this means in practice (and precedent) as there is very little ‘arbitrary’ about the law. Hopefully these someone(s) jump in at the supervisory authority level.

So the real point of this blog is NOT to impart knowledge, or instruct, I am unqualified to do so. It is to gather feedback, or even opinion on the below interpretation(s). And yes, I have reached out to both the ICO and Art. 29 WP for clarity, but I doubt I’ll get much back anytime soon.

[Note: I won’t name the people who have provided the following guidance (unless they want me to), but I thank them for it. That said, if I’m still way off the mark the blame is entirely my own.]

First, the KNOWN Facts:

  1. Nowhere in the GDPR, or any referenced document [of which I am aware], are the phrases ‘data subject’ and ‘natural person’ tied to ‘EU citizenship’ or even ‘EU residency’;
  2. Recital 2 states – “The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. […]” – [this is, after all, a human right];
  3. Recital 14 states – “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. […]” – [it does not matter who or where they are];
  4. Recital 22 states; – “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” – [a business established in the Union can [with caveats] process the data anywhere in the world, GDPR still applies];
  5. The phrase – “[…] in the Union […]” appears frequently in relation to scope and/or applicability – [i.e. regardless of nationality and location];
  6. Article 3(1) states – “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” – [regardless of 4. above, GDPR still applies]; and
  7. Article 3(2) states – “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to […]” – [applies to non-EU establishments if they ‘target’ people in the Union]

Now, the Assumed ‘Facts’:

  1. If your personal data is collected and processed while you are physically IN the Union, and Article 3(1) or 3(2) apply, it does not matter what your nationality is, nor does it matter where you live normally. GDPR applies.;
    Scenario: A US citizen is on holiday in the UK and orders something from an e-commerce merchant ‘established’ in the Union. The site collects personal information. GDPR applies.
  2. For processing of personal data outside of Article 3(1) and 3(2), it doesn’t matter whether you’re an EU citizen or not, GDPR does NOT [necessarily] apply;
    Scenario: Someone ‘in the Union’ orders online from a merchant based in the US, who has made no effort whatsoever to market/aim their services to anyone outside of the US. All payments must be in USD. Just because they agree to ship the merchandise to the EU does not, by itself, put the merchant ‘in-scope’ for GDPR, even if they do collect personal data.
  3. Even if you are not ‘in the Union’, the processing of your personal data by an establishment whose activities provide the context for the processing are in the Union, is in scope for the GDPR;
    Scenario: A citizen, including non-EU, is on holiday in the US and orders online from an e-commerce merchant ‘established’ in the Union. GDPR applies.

In the end it’s becoming clear that being an EU citizen does not give you rights anywhere outside of the boundaries of Union law. It is also clear that regardless of your nationality, or where you live, doing business with Union-based organisations may give you rights that it’s quite possible you are not receiving in your own country (especially in the US).

And not that I’m particularly bright, but for me to make such a fundamental mistake in interpretation further supports my contention that you should only ever take guidance from proven privacy experts. This is just too important to rely on people who have only recently jumped on the bandwagon.

Again, I am not saying that any of my assumptions/interpretations are facts. I actually expect to be corrected. About the only benefit you can get from this is you should now have your own questions to ask.

[If you liked this article, please share! Want more like it, subscribe!]

59 thoughts on “GDPR: It’s Not Just About EU Citizens, or Residents

  1. Good one David… from the PCI perspetive of the authorisation/clearing is done outisde the EU but settlement is done in the EU then where does GDPR apply?

    • First, the usual caveat; I’m not an expert and you really should run this past one.

      That said, it’s unlikely that supervisory authorities are going to get involved as the card brands already have the PCI standards to cover the protection of cardholder data, and an organisational structure to effect ‘administrative fines’ and penalties.

      Unless the acquiring bank is using the auth/settlement data for for something other than auth/settlement, there’s really nothing else they can do for GDPR.

  2. Good article, David. I would just emphasise the word “necessarily” (as in “not necessarily apply” in your assumed ‘fact’ 2. The wording “offering of goods and services” to someone in the EU may well cover sales made to someone in the EU, even without targeting. The wording of Recital 23 that appears to restrict the interpretation of “offering” has a dubious legal basis.

  3. Good article.
    Can you add a few more scenarios? For e.g. an EU citizen living and working outside the Union, let’s say in Japan and uses a local Japanese bank for their financial needs. Does the local bank have to be GDPR compliant? (the bank doesn’t have any EU subsidiaries)

    • GDPR applies, but intra-company transfers are handled slightly differently. You’ll definitely need to speak to a qualified person for this one.

  4. Hey David,

    Let me firstly appreciate the brilliance and simplicity of your article. What, in your considered view, are the implications of this Regulation on Telecom service providers OUTSIDE the EU? For instance, do you think Mobile Network Providers need to be GDPR-compliant when EU Citizens roam on their networks outside the EU?

    I would truly appreciate your perspective/insight on this scenario. Thank you.

    • Many thanks James.

      Recital 21 states: “This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive. That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.”

      Directive 2000/31/EC of the European Parliament and of the Council, 8-Jun-00: – on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), refers to;

      Article 12 – Mere conduit
      Article 13 – Caching
      Article 14 – Hosting
      Article 15 – No general obligation to monitor”

      In other words, these ‘intermediaries’ can be considered out of scope for GDPR. Telecoms would be classified as a “mere conduit” unless they are in some way processing personal data outside of that definition.

      Hope this helps.


  5. Hi David,

    I have a sample scenario too. An EU based e-commerce company sells goods outside of EU with its affiliate company. As a result, trade is between non-EU citizens and a non-EU company. But all data are collected and stored in the servers that are physically in EU. Does GDPR apply in this scenario?

    Many thanks,


    • Hi Bora,

      Again, I’m not a data protection expert, but reading of this is that yes, GDPR applies. Not so much to the enforcement of data subject rights, but even storage counts as processing. There would need to be some for of intra-company data processing agreement in place.

      Run this by a real expert though.


  6. Thank you for the article David.

    The UK branch of a Japanese bank offering a personal loan to a Japanese customer based in Japan. This would be a straightforward example where GDPR applies, Article 3(1), even though the Japanese customer would never set foot in the EU?

  7. If a local Asian brokerage firm has some EU citizens as customers, these customers are now living in this Asian country, does this brokerage firm has to comply with GDPR?

  8. Great article! There is a lot of supposition and thinly interpreted clickbait blogs out there that are leading to confusion. Here is a scenario I am pondering:

    An event for BrandX takes place in the US. BrandX is an American company with offices around the globe. Current and potential customers and partners register and pay for a badge to attend to learn more about BrandX’s products and services. Attendees travel from around the world to attend the event. During the event information is collected such as preferences, surveys, interests etc.

    Would GDPR apply to attendees from the EU in this case? My general take on this is that it would, particularly if they had been invited by BrandX or if BrandX operates regional offices in the EU. However if BrandX is solely based in the US with no international offices it gets fuzzy.

    Would love your thoughts. Many thanks!

  9. After reading so many articles on this matter, finally finding some practical examples, thanks!

    here is my case; what about an online reservation service established and located in Barbados which stores individuals personal data which is collected through phone calls or by web form posts which in both cases can originate from EU countries; no payment is involved bu the individual can physically be in EU during the data collection.
    this seems very similar to your Fact #2 example in addition nothing get shipped to EU and no money moves, only information.


    • Hi Paolo,

      Payment is irrelevant to GDPR (Article 3(2)(a)).

      I don’t have enough info here to really help, it really depend on how you advertise and what services you are offering.

  10. David,

    Great advice. What if you are a US based B2B. You sell services, such as writing, and don’t specifically target EU. From the EU, a citizen visits your website and you start tracking their behavior on your website. Must you have their permission? And if they fill out a whutepaper form, but you don’t know their country, are you in violation if you send them an email about your services?

    Thanks again

      • David,

        Thanks for your reply. I can see how your Scenario 2 does cover this.

        One more question if you have a moment. If you are US based (not established in the union) and advertise online, does GDPR apply if your ads are seen by people in the EU and they click through to your U.S. website (on which data is collected, but has nothing, such as language, currency, contact information, etc. that targets any EU geography )? And does it matter if you have or haven’t used the advertiser’s controls to exclude viewers outside of the United States from seeing the ad.

        Thanks again for all the great advice.


      • Again, this is scenario 2. Just because the site can be seen in the EU does not necessarily put you in scope. However the devil is always in the detail.

  11. Hi David,

    thank you for excellent piece as usual. We (SaaS company with offices in EU and US) were told exactly same thing, you just need read Article 3 carefully and it’s really clear, that location of Processor also matters.

    What bothers me most is that absolute majority of sources, including so called GDPR “trainings”, especially one from IT Governance (NOT recommended at all, BTW – half baked if not to say more) are pushing that “EU citizens only” thing as absolute true.

  12. Thanks a lot David 🙂

    You are bold and brilliant.

    Most of the GDPR resources comfortably overlooked this.

    Hats off to your approach.

  13. HI David,
    Excellent article!
    I am an EU citizen who lives in Europe again but I have data kicking around in the US on the internet (very annoying- past residences, financial stuff, etc). Can I request that that be suppressed from each company (like and spokeo…)?

    • Thank you Phil.

      I’m afraid that’s impossible to answer without understanding the context under which the data was collected. As the article states, GDPR is not about you as an EU citizen, it’s about whether or not the data was collected under the umbrella of EU law.

      You only have to read mylife’s privacy policy to see that it’s geared towards US data subjects; However, they do list the BBC as one of their ‘as seen on’ references, which suggests they also gear their service to UK data subjects.

      It would not hurt to ask, though they have provided no capability to implement your rights.


  14. You are right, as it is clearly stated on the “EU Commission website” on the first example of “What does the General Data Protection Regulation (GDPR) govern?” (

    When the regulation applies

    A company with an establishment in the EU provides travel services to customers based in the Baltic countries and in that context processes personal data of natural persons.

    Articles 1 and 2 and Recitals (1), (2), (14), (18) and(27) of the GDPR
    1 Regulation (EU) 2016/679 of the European Parliament and of the Councilof 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

  15. Great Article!!

    Is processing in the EU makes anydata under GDPR regardless of target?
    Example, a company from the middleast uses a cloud provider in an EU country to process data for middleast customer? Does the company fall under GDPR?

    Thank you David,

    • Hi Alwaleed,

      Many thanks for your contribution.

      As a processor ‘in the Union’, yes, the cloud provider is in scope for GDPR, but in reality, it’s the Middle East-based organisation that does the client-facing processing. It’s unlikely their customers would even know the cloud provider exists, and to my knowledge, no ME country has cross-border data transfer restrictions to the EU.

      What I’m unsure of is if the cloud provider is breached and the personal data of the ME clients is lost, would the cloud provider be liable? In theory yes (per Recitals 2 and 14), but would the ME clients know where to turn for help, or even that they can?

      It’s an interesting question and I’ll need to ask a REAL expert! 🙂


      • I have now asked a real expert, and not surprisingly I was wrong. This is what the expert said:

        Article 3.

        1.This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

        2.This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

        (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

        (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

        3.This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

        In the example you give, the activity does not take place in the Union and the data subjects are not located in the Union. Their own local privacy law would apply to the processing of personal data.

  16. Thanks David! That was great help.
    How about the “REAL expert”? If were to get detailed consulting, where would I turn to?

  17. Hi David, interested in your thoughts on this scenario: a US company (A) recruit US residents for market research on behalf of an EU-based company (B). I’m assuming B has to follow GDPR, but does A as well? Given they are not involved in sending the data to the EU, just finding & paying the people doing the market research (& directing them to an EU-based website where data is collected).


    • Hi Dan,

      Again, NOT an expert, but it sounds very much to me like A is a processor of B, therefore the collection if data is definitely “in the context of the activities of an establishment of a controller or a processor in the Union” (Article 3(1)). So while A would likely not pursue GDPR compliance in their own right, the contractual obligations the controller (company B) would place on company A would have to fully comply (Article 28(3)).

      The Devil is always in the detail though, so this is best run by a lawyer or equivalent SME.


  18. Found this Article Really useful.

    I too have a scenario I would really appreciate your feedback on. A non-EU resident and Canadian national sends personal data to a company in Italy. Is the company in Italy required to process this non-EU residents personal data in accordance with GDPR?

    • Hi S,

      Yes, GDPR fully applies to the Italian company. The fact that the person is Canadian and does not live in the EU is irrelevant.

      Article 3 – Territorial scope
      1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.



  19. Hi David,
    So in a nutshell it comes down to where the data is processed, not what citizenship the individual possesses, correct?

  20. This is a really useful article. I have (yet another) scenario for you, if you would be so kind. I am in a bit of a battle with a sub-contracted Party of ours (with whom we have a legal Agreement) in Singapore who are asking for our non-EU client data. We own the data (ie. we are the Controller), they would be the Processor. Does GDPR apply in this circumstance?

    • Hi E,

      I think in this case the following applies;

      Article 3(1) – “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

      As you are established “in the Union”, it does not matter where your data comes from or where it is now, GDPR applies to it.

      Singapore does not have an adequacy decision in place, so you would have to use one of the following to ‘legalise’ an ongoing data transfer arrangement:

      1. Standard contractual clauses;
      2. code of conduct; or
      3. certification mechanism

      Seeing as 2. and 3. don’t really exist yet, your options are limited.

      That said, if your transfer is a one-off, then you could possible apply one of Article 49’s exceptions. The ICO breaks them down here; International Transfers

      In your case I only think exception 8 applies, and you would have to have significant contractual language in place to ensure the data subjects involved had ‘equivalent/adequate’ protection and recourse should things go wrong.

      You may want to reach out to the ICO and give them the full scoop, they have been very helpful with my questions so far.

      Don’t forget, I’m no expert, make sure you run this by someone who really knows what they’re talking about! 🙂


  21. Hello, I am a late joiner to this conversation and thank you it is really informative. I have understood that if the processing is done in the EU (including UK) then GDPR applies. However, which part?

    The scenario I have is that a UK based firm is provided non-EU personal data by a company based in the Middle East to be used in a survey processed in the EU. Does the Middle East company have to gain consent from those included in the personal data even though they are neither based in the EU nor are they EU Citizens living abroad.

    Many thanks

    • Hi Amanda,

      Apologies for the delayed response.

      Which part? ALL of it, there is no mix and match in GDPR. You are ‘appropriately compliant‘ or you are not. In this case ‘appropriate’ is entirely tied to what you do with personal data and where.

      There is not enough to go on the make a full determination, but if the data was NOT collected (or processed in ANY way ) in the EU, then no, GDPR does not apply to the ME org. However, the UK org is now processing personal data in the EU, but it’s unlikely consent will be required and data processing agreements will suffice.

      The usual caveat applies: I am NOT a privacy lawyer, so you should run this by an expert.


If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.