2026-04-18·16 min read·

GDPR Art.1–4: Scope, Definitions & Territorial Reach — Complete Developer Guide (2026)

Post #436 in the sota.io EU Cyber Compliance Series

GDPR Chapter I (Art.1–4) is the foundation on which everything else rests. Before you can apply any GDPR requirement, you must answer three questions: Does the GDPR apply to this processing at all (Art.2)? Does it apply to my organisation (Art.3)? And what exactly do the terms used throughout the regulation mean (Art.4)? Getting these wrong — either assuming GDPR applies when it doesn't, or assuming it doesn't when it does — is where most compliance programmes go off the rails before they start.

Art.1 — Subject Matter and Objectives

Art.1 sets out what GDPR is and why it exists:

Art.1(1): The regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Art.1(2): It protects fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.

Art.1(3): The free movement of personal data within the EU shall neither be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Constitutional Basis

GDPR sits at the intersection of two Treaty provisions:

Treaty Basis	Provision	Content
EU Charter of Fundamental Rights	Art.8	Right to protection of personal data
Treaty on the Functioning of the EU	Art.16 TFEU	Right to data protection; Parliament+Council legislate
EU Charter	Art.7	Right to respect for private and family life

The CJEU has repeatedly confirmed that data protection is a fundamental right, not merely a market regulation. This matters for proportionality analysis: restrictions on data processing must be justified not just commercially but constitutionally.

Free Movement Dimension

Art.1(3) is often overlooked: GDPR also enables free movement of personal data within the EU. Member States may not impose additional data protection requirements that would fragment the internal market — GDPR is a maximum harmonisation instrument for cross-border flows within the EU (subject to Art.9 and national derogations).

Art.2 — Material Scope

Art.2(1): GDPR applies to the processing of personal data wholly or partly by automated means and to the processing otherwise than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Developer Translation:

Any database containing personal data: in scope
Log files containing IP addresses: in scope (automated processing)
API calls processing user-submitted data: in scope
Manual paper records that aren't organised: arguably out of scope

Art.2 Exclusions

Exclusion	Art.2	Example
Activities outside EU law scope	Art.2(2)(a)	Member State national security operations
Common Foreign and Security Policy	Art.2(2)(b)	EU foreign policy operations
Purely personal or household activity	Art.2(2)(c)	Family address book; personal social media
Law enforcement (Directive 2016/680)	Art.2(2)(d)	Police processing criminal records
Union institutions	Art.2(3)	EU agencies — covered by Regulation 2018/1725

The Household Exemption

Art.2(2)(c) excludes processing by a natural person in the course of a purely personal or household activity. The CJEU has construed this narrowly:

Out of scope: Personal address book on a private phone
In scope: Personal blog with public comment section (Lindqvist, C-101/01)
In scope: Publishing personal data publicly on the internet, even for personal purposes (Ryneš, C-212/13)
In scope: Running a neighbourhood surveillance camera that captures public spaces

For SaaS developers: The household exemption never applies to your application — even if individual users process data for household purposes, your role as a platform is always in scope.

Law Enforcement — Directive 2016/680

Police and criminal justice authorities processing data for law enforcement purposes fall outside GDPR and are governed by the Law Enforcement Directive (LED, 2016/680). However:

A police force's HR data: GDPR applies
A private company providing software to police: GDPR applies to its own processing
The police using that software to process criminal records: LED applies

Art.3 — Territorial Scope

Art.3 is where GDPR surprises most non-EU developers. The regulation applies to three distinct situations:

Head 1 — Establishment (Art.3(1))

GDPR applies to processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the EU or not.

This is the most important principle: it is not about where data is stored. It is about whether you have an establishment in the EU and whether the processing is connected to that establishment's activities.

Scenario	GDPR Applies?
US company with EU office, processes EU user data at US datacentre	Yes — EU establishment + in context of its activities
US company with EU subsidiary that merely forwards orders	Depends — CJEU Weltimmo (C-230/14): even minimal stable arrangement sufficient
US company with no EU presence, no EU users	No
US company with no EU presence, actively markets to EU users	Yes — see Head 2

Establishment Threshold (CJEU case law):

Google Spain (C-131/12): US company with Spanish subsidiary (Google Spain SL) that sold advertising linked to search results → GDPR applies
Weltimmo (C-230/14): A single representative or even a letter box company in a Member State can constitute an establishment
The establishment need not be incorporated — a branch, agent, or even a single employee may suffice

Head 2 — Targeting (Art.3(2)(a))

GDPR applies to processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing relates to offering goods or services to those data subjects — irrespective of whether payment is required.

Targeting Indicators (Recital 23):

Website accessible from the EU is not enough on its own
Using EU language or currency: targeting indicator
Mentioning EU customers or users: targeting indicator
Enabling delivery to EU addresses: targeting indicator
International dialling prefixes for EU countries: targeting indicator
EU-specific domain (.de, .fr): strong indicator
Advertising directed at EU Member States: strong indicator

Scenario	Applies?
US SaaS with `.com` domain, no EU marketing	No (absent other indicators)
US SaaS with EU language option, EU pricing	Yes
US app store app with explicit EU regional availability	Yes
US B2B tool marketed globally including EU	Yes

Head 3 — Monitoring (Art.3(2)(b))

GDPR applies where processing relates to monitoring the behaviour of data subjects in the EU, to the extent the behaviour takes place within the EU.

Monitoring includes (Recital 24):

Tracking internet behaviour (cookies, fingerprinting, pixel tags)
Profiling for advertising purposes
Location tracking
Behavioural analytics on EU users

Developer Impact: If your analytics SDK tracks EU users' behaviour — even if you have zero EU presence and zero EU marketing — GDPR applies to that monitoring.

Art.3(3) — Non-EU Public International Law

A controller not established in the EU but in a place where Member State law applies by virtue of public international law (e.g., an embassy, consulate, or vessel under a Member State flag) is also subject to GDPR.

Territorial Scope Summary

                    ┌─────────────────────────────────────────┐
                    │         GDPR TERRITORIAL SCOPE          │
                    └─────────────────────────────────────────┘
                                      │
          ┌───────────────────────────┼───────────────────────────┐
          │                           │                           │
    Art.3(1)                    Art.3(2)(a)                 Art.3(2)(b)
  Establishment               Targeting Criterion          Monitoring Criterion
          │                           │                           │
   EU establishment            Processing data of           Tracking EU users'
   + in context of             EU-based data subjects       behaviour in EU
   its activities              + offering goods/services
          │                           │                           │
   Data location               Payment requirement          Profiling, cookies,
   irrelevant                  irrelevant (free             fingerprinting,
                               services in scope)           location tracking

Art.4 — Definitions

Art.4 provides 26 definitions that apply throughout GDPR. Here are the most developer-critical ones:

Art.4(1) — Personal Data

"Any information relating to an identified or identifiable natural person ('data subject')."

An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to:

An identifier such as a name, identification number, location data, online identifier
One or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity

Data Type	Personal Data?	Notes
Full name + email	Yes	Directly identifies
IP address	Usually yes	CJEU Breyer (C-582/14): dynamic IP = personal data if ISP can identify
Cookie ID	Yes	Links to browser, links to person over time
Pseudonymised data (key held)	Yes	Still personal data — key allows re-identification
Truly anonymised data (irreversible)	No	But anonymisation must be genuine and irreversible
Aggregated statistics	No (if truly aggregate)	No individual identification possible
Company data	No	GDPR covers natural persons only
Email address (role-based: info@company.com)	Usually no	But info@soletrader.com = yes
MAC address	Yes	Device identifier linkable to natural person
Hashed data (SHA-256 of email)	Yes	Rainbow tables; combination attacks

The Identifiability Test: Data is personal if identification is reasonably likely — taking into account costs and time required, available technology, and who else has the key. CJEU Breyer: the question is whether any party, including a third party like an ISP, can combine the data with other information to identify the person.

Art.4(2) — Processing

"Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."

Every interaction with personal data is "processing." There is no de minimis threshold. Receiving an email, storing a log line, querying a database, sending data to a third party — all processing.

Art.4(3) — Restriction of Processing

"The marking of stored personal data with the aim of limiting their processing in the future."

Used in Art.18 (right to restriction). Implementation: a flag in the database marking the record as restricted, combined with application-layer checks preventing further processing.

Art.4(4) — Profiling

"Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements."

Developer Impact: Recommendation engines, credit scoring, fraud detection, behavioural advertising — all profiling. Art.22 governs solely automated profiling with significant effects; Art.21(2) gives opt-out rights for direct marketing profiling.

Art.4(5) — Pseudonymisation

"The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person."

Key Point: Pseudonymised data is still personal data (Art.4(1)). But the GDPR incentivises pseudonymisation: it reduces risk (Art.25, 32), can help justify compatible further processing (Art.89), and is a recommended security measure (Art.32(1)(a)).

Vs. Anonymisation: Anonymisation = irreversible removal of identifiability. If it's truly anonymous, GDPR doesn't apply. The bar is high — the Article 29 Working Party's Opinion 05/2014 lists three criteria: singling out, linkability, inference. Most "anonymisation" techniques fail at least one.

Art.4(7) — Controller

"The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."

The Key Test: Who decides why data is processed and how? Not who actually does the technical processing.

Role	Controller or Processor?
SaaS company collecting user data for its service	Controller
Cloud hosting provider (IaaS) storing data per customer instructions	Processor
Analytics vendor receiving data for platform analytics	Controller (of own analytics)
Analytics vendor providing white-label analytics to customer	Processor
Two companies jointly deciding campaign targeting	Joint controllers (Art.26)
Payroll outsourcing firm processing employee data	Processor

Joint Controllers (Art.26): Where two or more controllers jointly determine purposes and means, they must enter an arrangement specifying their respective responsibilities. They are jointly and severally liable to data subjects (subject to Art.82(3) exoneration).

Art.4(8) — Processor

"A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

Processors must enter a Data Processing Agreement (DPA) with the controller per Art.28. The DPA must specify the subject matter, duration, nature, purpose, type of personal data, categories of data subjects, and the controller's obligations and rights.

"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

The four cumulative requirements:

Freely given: No imbalance of power; no bundling consent with service terms; no detriment for refusal
Specific: Separate consent for each purpose; no blanket consent
Informed: Identity of controller, purposes, right to withdraw — all disclosed before consent
Unambiguous: Clear affirmative action (ticking a box, clicking "I agree"); silence, pre-ticked boxes, or inactivity is NOT consent

Art.4(12) — Personal Data Breach

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Three types of breach:

Confidentiality breach: Unauthorised access or disclosure
Integrity breach: Alteration of data
Availability breach: Loss of access to data (including accidental deletion, encryption by ransomware)

All three trigger notification obligations under Art.33 (to supervisory authority within 72 hours) and potentially Art.34 (to data subjects without undue delay).

Art.4(13) — Genetic Data

"Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question."

Special category under Art.9 — requires explicit consent or another Art.9(2) ground.

Art.4(14) — Biometric Data

"Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data."

Special category under Art.9. Biometric data processed for the purpose of uniquely identifying a person triggers Art.9 — raw photos alone may not.

Art.4(15) — Health Data

"Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status."

Broadly interpreted. Includes: medical records, prescriptions, health app data, absence-due-to-illness records, disability information, mental health treatment records.

Art.4(16) — Main Establishment

For controllers with establishments in multiple Member States: the place of the controller's central administration in the EU. For processors: the place of central administration or, if no central administration in EU, the establishment where main processing activities take place.

Why it matters: The "one-stop-shop" mechanism (Art.56) means the supervisory authority of the main establishment acts as lead supervisory authority for cross-border processing.

Art.4(17) — Representative

A representative must be designated (Art.27) by controllers or processors not established in the EU but subject to GDPR via Art.3(2). The representative is established in one of the Member States where the data subjects are located.

Art.4(26) — Supervisory Authority

The independent public authority established by a Member State pursuant to Art.51. Examples:

Germany: BfDI (federal) + 16 Landesdatenschutzbehörden
France: CNIL
Ireland: DPC (lead SA for many US tech companies with EU HQ in Dublin)
Netherlands: AP (Autoriteit Persoonsgegevens)
Austria: DSB

Complete Art.4 Definition Reference

Art.4	Term	Developer Relevance
(1)	Personal data	Everything identifiable = personal data
(2)	Processing	Every data operation = processing
(3)	Restriction of processing	Flag in DB for Art.18 right
(4)	Profiling	ML models on personal data = profiling
(5)	Pseudonymisation	Still personal data; still GDPR
(6)	Filing system	Structured non-automated records
(7)	Controller	You, for your product's data
(8)	Processor	Your cloud/SaaS vendors
(9)	Third party	Neither controller nor processor
(10)	Recipient	Anyone data is disclosed to
(11)	Consent	Must be freely given, specific, informed, unambiguous
(12)	Personal data breach	Confidentiality + integrity + availability breaches
(13)	Genetic data	Art.9 special category; DNA/RNA analysis
(14)	Biometric data	Art.9 if used for identification
(15)	Health data	Art.9; broadly interpreted
(16)	Main establishment	Lead SA jurisdiction anchor
(17)	Representative	Required for non-EU controllers/processors under Art.3(2)
(18)	Enterprise	Any legal entity in economic activity
(19)	Enterprise group	Controlling + controlled undertakings
(20)	Binding corporate rules (BCRs)	Art.47 transfer mechanism for groups
(21)	Supervisory authority	Your national DPA
(22)	Supervisory authority concerned	Multiple SAs in cross-border cases
(23)	Cross-border processing	Processing in multiple Member States
(24)	Relevant and reasoned objection	Art.60 objection mechanism between SAs
(25)	Information society service	Directive 2015/1535 — online services
(26)	International organisation	UN, Council of Europe etc. for Art.4(9) transfers

Python: GDPRScopeAnalyzer

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional


class TerritorialHead(Enum):
    ESTABLISHMENT = "Art.3(1) — Establishment"
    TARGETING = "Art.3(2)(a) — Targeting"
    MONITORING = "Art.3(2)(b) — Monitoring"
    NOT_APPLICABLE = "Art.3 — Not applicable"


class DataCategory(Enum):
    ORDINARY = "ordinary"
    SPECIAL = "special_category"  # Art.9
    CRIMINAL = "criminal"          # Art.10


@dataclass
class ProcessingActivity:
    name: str
    involves_eu_data_subjects: bool
    controller_eu_establishment: bool
    offers_goods_services_to_eu: bool
    monitors_eu_behaviour: bool
    data_types: list[str] = field(default_factory=list)
    automated_processing: bool = True
    purely_personal_activity: bool = False
    law_enforcement_purpose: bool = False


@dataclass
class ScopeResult:
    gdpr_applies: bool
    territorial_heads: list[TerritorialHead]
    material_scope: bool
    special_categories_involved: bool
    requires_representative: bool  # Art.27
    requires_dpa: bool             # Art.28
    lead_sa_jurisdiction: Optional[str]
    rationale: list[str]


SPECIAL_CATEGORY_KEYWORDS = {
    "health", "medical", "diagnosis", "genetic", "biometric",
    "racial", "ethnic", "political", "religious", "trade_union",
    "sexual", "criminal", "criminal_conviction",
}


class GDPRScopeAnalyzer:
    """
    Determines whether GDPR applies to a processing activity
    and under which territorial head (Art.2 + Art.3).
    """

    def analyze(self, activity: ProcessingActivity) -> ScopeResult:
        rationale = []
        territorial_heads = []
        material_scope = True

        # --- Material scope check (Art.2) ---
        if activity.purely_personal_activity:
            material_scope = False
            rationale.append(
                "Art.2(2)(c): Purely personal/household activity — GDPR does not apply."
            )
        elif activity.law_enforcement_purpose:
            material_scope = False
            rationale.append(
                "Art.2(2)(d): Law enforcement processing — governed by Directive 2016/680, not GDPR."
            )
        elif not activity.automated_processing and not activity.involves_eu_data_subjects:
            material_scope = False
            rationale.append(
                "Art.2(1): Non-automated processing not part of a filing system — out of scope."
            )
        else:
            rationale.append(
                f"Art.2(1): Processing of personal data by automated means — material scope met."
            )

        if not material_scope:
            return ScopeResult(
                gdpr_applies=False,
                territorial_heads=[TerritorialHead.NOT_APPLICABLE],
                material_scope=False,
                special_categories_involved=False,
                requires_representative=False,
                requires_dpa=False,
                lead_sa_jurisdiction=None,
                rationale=rationale,
            )

        # --- Territorial scope check (Art.3) ---
        if activity.controller_eu_establishment and activity.involves_eu_data_subjects:
            territorial_heads.append(TerritorialHead.ESTABLISHMENT)
            rationale.append(
                "Art.3(1): Controller has EU establishment and processes EU data subjects "
                "in context of its activities."
            )

        if activity.offers_goods_services_to_eu and activity.involves_eu_data_subjects:
            territorial_heads.append(TerritorialHead.TARGETING)
            rationale.append(
                "Art.3(2)(a): Processing data of EU data subjects in context of offering "
                "goods or services to EU."
            )

        if activity.monitors_eu_behaviour:
            territorial_heads.append(TerritorialHead.MONITORING)
            rationale.append(
                "Art.3(2)(b): Processing relates to monitoring behaviour of data subjects in EU."
            )

        if not territorial_heads:
            return ScopeResult(
                gdpr_applies=False,
                territorial_heads=[TerritorialHead.NOT_APPLICABLE],
                material_scope=True,
                special_categories_involved=False,
                requires_representative=False,
                requires_dpa=False,
                lead_sa_jurisdiction=None,
                rationale=rationale + [
                    "Art.3: No territorial head met — GDPR does not apply to this activity."
                ],
            )

        # --- Special categories check (Art.4(13)–(15), Art.9) ---
        special = any(
            kw in dt.lower() for dt in activity.data_types
            for kw in SPECIAL_CATEGORY_KEYWORDS
        )
        if special:
            rationale.append(
                "Art.9: Special category data detected — explicit consent or Art.9(2) ground required."
            )

        # --- Representative requirement (Art.27) ---
        requires_rep = (
            not activity.controller_eu_establishment
            and (
                TerritorialHead.TARGETING in territorial_heads
                or TerritorialHead.MONITORING in territorial_heads
            )
        )
        if requires_rep:
            rationale.append(
                "Art.27: Controller not established in EU but subject under Art.3(2) — "
                "must designate EU representative."
            )

        # --- DPA requirement (Art.28) ---
        requires_dpa = True  # Always required when using processors
        rationale.append(
            "Art.28: If using sub-processors (cloud, analytics, email) — DPA required with each."
        )

        return ScopeResult(
            gdpr_applies=True,
            territorial_heads=territorial_heads,
            material_scope=True,
            special_categories_involved=special,
            requires_representative=requires_rep,
            requires_dpa=requires_dpa,
            lead_sa_jurisdiction=(
                "Ireland (DPC) — most US tech companies with EU HQ in Dublin"
                if activity.controller_eu_establishment else None
            ),
            rationale=rationale,
        )

    def print_report(self, activity: ProcessingActivity) -> None:
        result = self.analyze(activity)
        print(f"\n{'='*60}")
        print(f"GDPR SCOPE ANALYSIS: {activity.name}")
        print(f"{'='*60}")
        print(f"GDPR Applies: {'YES' if result.gdpr_applies else 'NO'}")
        if result.gdpr_applies:
            print(f"Territorial Heads: {[h.value for h in result.territorial_heads]}")
            print(f"Special Categories: {'YES — Art.9 ground required' if result.special_categories_involved else 'No'}")
            print(f"Representative Required: {'YES (Art.27)' if result.requires_representative else 'No'}")
        print("\nRationale:")
        for r in result.rationale:
            print(f"  • {r}")
        print()


# --- Usage Examples ---
if __name__ == "__main__":
    analyzer = GDPRScopeAnalyzer()

    # Example 1: EU SaaS with EU customers
    analyzer.print_report(ProcessingActivity(
        name="EU SaaS Platform (controller in Germany)",
        involves_eu_data_subjects=True,
        controller_eu_establishment=True,
        offers_goods_services_to_eu=True,
        monitors_eu_behaviour=True,
        data_types=["email", "usage_logs", "payment_info"],
    ))

    # Example 2: US startup targeting EU market
    analyzer.print_report(ProcessingActivity(
        name="US Startup with EU Pricing Page",
        involves_eu_data_subjects=True,
        controller_eu_establishment=False,
        offers_goods_services_to_eu=True,
        monitors_eu_behaviour=True,
        data_types=["email", "analytics", "cookie_id"],
    ))

    # Example 3: Analytics SDK tracking EU users
    analyzer.print_report(ProcessingActivity(
        name="Behavioural Analytics SDK (US vendor)",
        involves_eu_data_subjects=True,
        controller_eu_establishment=False,
        offers_goods_services_to_eu=False,
        monitors_eu_behaviour=True,
        data_types=["ip_address", "cookie_id", "page_views"],
    ))

    # Example 4: Internal HR app for EU employees
    analyzer.print_report(ProcessingActivity(
        name="Internal HR System — Health Records",
        involves_eu_data_subjects=True,
        controller_eu_establishment=True,
        offers_goods_services_to_eu=False,
        monitors_eu_behaviour=False,
        data_types=["health", "name", "employee_id"],
    ))

Key Cases: Territorial Scope in Practice

Case	Court	Key Ruling
Google Spain (C-131/12)	CJEU 2014	Spanish subsidiary = EU establishment; search results = in context of activities
Weltimmo (C-230/14)	CJEU 2015	Minimal stable arrangement in MS = establishment; agent/letterbox sufficient
Schrems I (C-362/14)	CJEU 2015	SA can investigate independently; Safe Harbour inadequate
Schrems II (C-311/18)	CJEU 2020	Privacy Shield invalid; SCCs require case-by-case assessment for US transfers
Breyer (C-582/14)	CJEU 2016	Dynamic IP = personal data when ISP can link to subscriber
Ryneš (C-212/13)	CJEU 2014	Home CCTV capturing public space = not household exemption
Lindqvist (C-101/01)	CJEU 2003	Personal website with third-party data = not household exemption

EU Hosting and Art.3 Compliance Architecture

The Territorial Scope Gap for Non-EU Companies

A non-EU company subject to GDPR via Art.3(2) faces a structural compliance problem: its data processing infrastructure is in a non-EU jurisdiction subject to laws that may conflict with GDPR obligations. The three most significant conflicts:

US Law	GDPR Conflict	Risk
US CLOUD Act	Compelled disclosure to US authorities without EU data subject notification	Art.5(1)(f) confidentiality, Art.44 transfer prohibition
FISA §702	NSA access to data held by US providers — basis for Schrems II	Art.46 adequacy of safeguards
Executive Order 12333	Bulk collection of data in transit	Art.5(1)(f) integrity

EU-Native Infrastructure: Structural Compliance

When your infrastructure is hosted on an EU-native PaaS like sota.io, you eliminate the primary vectors for Art.3(2) territorial compliance gaps:

Compliance Dimension	US Cloud	EU-Native Cloud (sota.io)
Art.3(1) establishment processing	Data leaves EU to US processors	Data stays within EU jurisdiction
Art.44 transfer prohibition	Every API call = potential transfer	No third-country transfer — Art.3(2) basis eliminated
CLOUD Act compelled disclosure	US provider must comply with US court order	EU jurisdiction only — US authorities cannot compel
Art.28 DPA compliance	DPA with US entity; adequacy gap	DPA with EU entity under same GDPR obligations
Art.32 security — confidentiality	Extraterritorial access risk	Confidentiality protected by EU jurisdiction
Art.82 non-material damage	Class-action risk for sovereignty violations	Sovereignty-based Art.82 risk eliminated

For non-EU companies subject to Art.3(2): Hosting on EU infrastructure is the fastest path from territorial-scope risk to territorial-scope compliance. The Art.27 representative requirement remains (designation of an EU representative), but the structural data-sovereignty gap is closed.

#	Requirement	Source
1	Confirm GDPR applies (Art.2 material scope)	Art.2(1)
2	Identify territorial head(s): establishment, targeting, monitoring	Art.3
3	If Art.3(2) applies and no EU establishment: designate Art.27 representative	Art.27
4	Map all personal data processed (Art.4(1) test)	Art.4(1)
5	Identify special categories (Art.4(13)–(15))	Art.9
6	Identify criminal conviction data (Art.4(10) + Art.10)	Art.10
7	Determine controller vs. processor role for each activity	Art.4(7)–(8)
8	Identify joint controller relationships (Art.26 arrangement required)	Art.26
9	List all processors and confirm DPAs in place (Art.28)	Art.28
10	Verify consent mechanism meets all four Art.4(11) requirements	Art.4(11)
11	Confirm profiling activities identified and Art.21/22 rights implemented	Art.4(4)
12	Verify pseudonymisation implemented where used (key separation)	Art.4(5)
13	Confirm anonymisation is genuine (singling out / linkability / inference tests)	WP29 05/2014
14	Identify your lead supervisory authority (main establishment test)	Art.4(16)
15	Verify household exemption does NOT apply to platform (only to individual users)	Art.2(2)(c)
16	Confirm law enforcement processing carved out to Directive 2016/680	Art.2(2)(d)
17	Check targeting indicators: EU language, EU currency, EU delivery, EU phone	Recital 23
18	Check monitoring: cookies, fingerprinting, location tracking of EU users	Recital 24
19	Ensure infrastructure jurisdiction does not create Art.44 transfer risk	Art.44–49
20	Document scope analysis in Records of Processing Activities (RoPA)	Art.30

Article	Topic	Post
Art.5	Principles of processing (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, accountability)	Upcoming
Art.6	Lawful basis for processing (6 legal grounds)	Upcoming
Art.7	Conditions for consent	Upcoming
Art.9–10	Special categories and criminal data	Upcoming
Art.12–22	Data subject rights (complete)	#420–#422
Art.25	Privacy by Design and by Default	Existing
Art.28	Data Processing Agreements	Existing
Art.32	Technical and organisational security measures	Existing

The GDPR series at sota.io is building the most comprehensive, developer-focused GDPR reference in EU cybersecurity publishing — working through all 99 articles with Python implementations, landmark CJEU case law, and EU-hosting compliance angles.