This blog post from my colleagues summarises the latest EDPB guidance regarding the territorial scope of GDPR.
Key updates for processors outside the EU (although I am not sure this really changes anything in practice) and some relief for those acting as a representative regarding previous fears they could be slapped with big fines on behalf of those they represent. You can read more here.
The guidelines seek to provide a common interpretation of the GDPR Article 3 for data protection authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the GDPR. The final guidelines maintain the interpretation adopted in the first draft of the guidelines but now include further explanations from the EDPB addressing comments received during the public consultation.
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2025-06-30-18-20-05-882-6862d555bf3898129ef17194.jpg)
/Passle/5db069e28cb62309f866c3ee/MediaLibrary/Images/2025-09-08-14-53-13-586-68beedd97356a10e44369bc6.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-02-06-19-39-265-68de197b5559c36f4b84cd2d.jpg)
/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2025-10-08-03-36-10-086-68e5dc2a7507996aa45ecd1e.jpg)