Where is the GDPR applied?
For the GDPR to apply to your enterprise's activities, it should fall under the territorial scope of the Regulation. Article 3 defines this territorial scope based on two main criteria:
The “establishment criterion” - Your enterprise is established in the Union.
The GDPR applies if your enterprise – operating either as controller or as processor – is established in the Union, regardless of whether the processing takes place in the Union or not. An enterprise is established in the Union if it has a stable presence there, which exercises real and effective activities considering the nature of the economic activity carried out by the enterprise.
The “targeting criterion” - Your enterprise is estanlished outside the Union, but is processing data of individuals in the Union.
The GDPR also applies when your enterprise – operating either as controller or as processor – is not established in the Union but does process personal data of individuals who are in the Union, where the processing activities are related to:
The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
The monitoring of their behaviour, as far as their behaviour takes place within the Union.
Thus, under certain conditions the GDPR has extraterritorial applicability.
What if your enterprise is established in the EU but you work with a processor to which the GDPR does not apply?
If you as a controller, subject to the GDPR, choose to use a processor located outside of the Union and not subject to the GDPR, it will be necessary for you to ensure that the processor processes the data in accordance with the GDPR, just as if the processor is subject to the GDPR, but with some extra requirements. Compliance with the GDPR requires that processing by a processor shall be governed by a contract or other legal act. You will thus need to ensure that a contract – a data processing agreement – is put in place with the processor addressing all the requirements set out in Article 28(3) GDPR.
What if the processor falls under the GDPR, but your enterprise does not?
Your enterprise – as a non-EU controller – will not become subject to the controller obligations under the GDPR. A “non-EU controller” will not become subject to the GDPR simply because it chooses to use a processor in the Union.
The processor however will need to comply with the GDPR if he meets the criteria for GDPR applicability.