A thorough analysis of clear things and grey zones of the EDPB Guidelines 3/2018 on territorial scope.
My attention was, in particular, drawn by a friendly reminder that a status of a non-EU processor is dual as per Article 3(2):
- it is indirectly influenced by the GDPR if carries out processing on behalf of a EU controller (through the data processing agreement under Article 28 and Chapter V obligations);
- It is directly caught by the GDPR if the respective processing activities carrying out on behalf of a controller meet the ‘targeting criterion’ in a sense of Articles 3(2)(a) and 3(2)(b).
More to read – see below.