What does Article 2 exclude from GDPR scope?

Article 2(2) excludes four cases: (a) processing in the course of an activity which falls outside the scope of Union law; (b) processing by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (common foreign and security policy); (c) processing by a natural person in the course of a purely personal or household activity; (d) processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The Article 2(2)(d) carve-out is covered by Directive (EU) 2016/680 (the Law Enforcement Directive). Article 2(3) addresses processing by Union institutions, bodies, offices and agencies (covered by Regulation (EU) 2018/1725).

When does GDPR apply to non-EU controllers and processors?

Article 3(2) covers controllers or processors not established in the Union when their processing activities target data subjects who are in the Union. Two distinct triggers: (a) the offering of goods or services to data subjects in the Union (irrespective of payment); (b) the monitoring of behaviour as far as that behaviour takes place within the Union. Recital 23 clarifies that the 'offering' trigger requires more than the mere accessibility of a website or the use of a language generally used in the third country — factors such as language, currency, mention of EU customers, or the possibility of ordering goods and services in EU Member States indicate apparent intent. Recital 24 clarifies that 'monitoring' includes tracking of natural persons on the internet, including potential subsequent use of personal-data processing techniques that profile a natural person, particularly in order to take decisions concerning him or her or for analysing or predicting his or her personal preferences, behaviours and attitudes. Non-EU controllers and processors caught by Article 3(2) must designate a representative in the Union under Article 27 (with limited exceptions).

How does GDPR define 'personal data' and 'processing'?

Article 4(1) defines personal data as any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Article 4(2) defines processing as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The definitions are deliberately broad — IP addresses, online identifiers, biometric markers, and training-data embeddings can all be personal data when they relate to an identifiable individual.

What is the difference between controller, joint controller, and processor?

Article 4(7) defines controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Article 26 addresses joint controllers — where two or more controllers jointly determine the purposes and means of processing they must arrange their respective responsibilities through an arrangement. Article 4(8) defines processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller / processor distinction is functional, not contractual: an entity that decides 'why' and 'how' personal data is processed is a controller regardless of how its contracts characterise the role. The characterisation is fact-specific per processing activity — AI system providers may act as processors, independent controllers, or joint controllers depending on the role they take in determining purposes and means.

What is 'profiling' under GDPR Article 4(4)?

Article 4(4) defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is a form of processing — it does not by itself create a separate legal regime — but it is explicitly referenced in Article 22 (automated individual decision-making, including profiling), Article 13(2)(f) and Article 14(2)(g) (transparency obligations for automated decision-making), and Article 35(3)(a) (DPIA trigger). Most AI systems performing predictions about individuals are doing profiling within the meaning of Article 4(4).

GDPR Scope and Applicability — Articles 1, 2, 3, 4

Q: Who is in scope of the GDPR?

Under Article 3, the GDPR applies to (Article 3(1)) the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not; and to (Article 3(2)) the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services to such data subjects in the Union, irrespective of whether a payment is required, or (b) the monitoring of their behaviour as far as that behaviour takes place within the Union. Article 3(3) extends scope to processing where the law of a Member State applies by virtue of public international law (e.g. diplomatic missions). Article 2 then carves out specific cases.

GDPR scope rests on three layers: Article 1 fixes the subject matter; Article 2 fixes material scope (with four explicit exclusions); Article 3 fixes territorial scope; Article 4 provides the operative definitions that the rest of the Regulation depends on (especially personal data, processing, controller, processor, profiling, pseudonymisation, biometric / genetic / health data). The separate special-categories regime sits in Article 9. This page walks through each layer for AI use cases.

Quick decision

Establishment in the EU → GDPR applies to your processing of personal data under Article 3(1), regardless of whether the processing itself takes place in the EU. Apply the full Regulation to all your processing operations.
Not established in the EU, but offering goods or services to data subjects in the Union → Article 3(2)(a) applies. Designate an Article 27 representative in the Union, subject to the Article 27(2) exceptions.
Not established in the EU, but monitoring behaviour of data subjects in the Union → Article 3(2)(b) applies. Designate an Article 27 representative, subject to the Article 27(2) exceptions.
Purely personal or household processing → Article 2(2)(c) excludes you from GDPR. (An AI model trained on personal photos in a private household is excluded; the same model offered as a service to others is not.)
Processing for law-enforcement purposes by a competent authority → Article 2(2)(d) excludes you from GDPR; the Law Enforcement Directive (Directive (EU) 2016/680) applies instead.
AI system that performs profiling under Article 4(4) → GDPR applies as a default obligation set; pay particular attention to Article 22 (automated individual decision-making), Article 13(2)(f) and Article 14(2)(g) (transparency about automated decisions), and Article 35(3)(a) (DPIA trigger).

TL;DR

Article 1 fixes the subject matter: rules for the protection of natural persons with regard to the processing of personal data and rules for the free movement of personal data.
Article 2 fixes material scope. Article 2(1) covers processing wholly or partly by automated means and processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Article 2(2) carves out four cases (outside-Union-law activities; CFSP; purely personal/household; law-enforcement covered by Directive (EU) 2016/680).
Article 3 fixes territorial scope. Article 3(1) — establishment in the Union. Article 3(2) — non-EU processing that targets EU data subjects through (a) offering goods or services or (b) monitoring behaviour. Article 3(3) — Member State law by virtue of public international law.
Article 4 provides the operative definitions — 26 numbered definitions (personal data, processing, controller, processor, data subject, profiling, pseudonymisation, biometric data, genetic data, data concerning health, and more). The special-categories regime is in Article 9, not Article 4.
Article 27 requires non-EU controllers and processors caught by Article 3(2) to designate a representative in the Union (with limited exceptions).

Primary source

Regulation (EU) 2016/679 on EUR-Lex (CELEX 32016R0679) — Articles 1, 2, 3, 4, 27 · Directive (EU) 2016/680 (Law Enforcement Directive) · Regulation (EU) 2018/1725 (Union institutions data protection)

Article 1 — subject matter

Article 1(1) defines the subject matter:

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

Article 1(2) protects fundamental rights and freedoms, in particular the right to the protection of personal data. Article 1(3) prohibits restriction of free movement of personal data within the Union for reasons connected with the protection of natural persons with regard to the processing of personal data — the two-track structure (fundamental rights + internal-market) shapes how the Regulation is interpreted across the rest of its Articles.

Article 2 — material scope

Article 2(1) sets the in-scope universe:

This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Article 2(2) excludes four cases:

Article 2(2)(a) — processing in the course of an activity which falls outside the scope of Union law.
Article 2(2)(b) — processing by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (common foreign and security policy).
Article 2(2)(c) — processing by a natural person in the course of a purely personal or household activity. (Recital 18 makes clear this excludes correspondence, address books, social-networking, and online activity in the course of such activities — but does not extend to controllers or processors providing the means for such activities.)
Article 2(2)(d) — processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Covered by Directive (EU) 2016/680 (the Law Enforcement Directive).

Article 2(3) addresses processing of personal data by Union institutions, bodies, offices and agencies, which is covered by Regulation (EU) 2018/1725. Article 2(4) clarifies that the Regulation is without prejudice to the application of Directive 2000/31/EC, in particular Articles 12–15 of that Directive on the liability of intermediary service providers.

Article 3 — territorial scope

Article 3(1) — establishment in the Union

Article 3(1) sets the establishment trigger:

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

The "in the context of the activities of an establishment" wording is broad — the CJEU has held in cases such as Google Spain (C-131/12) and Weltimmo (C-230/14) that an EU establishment can be inferred from minimal local presence if there is real and effective exercise of activity through stable arrangements.

Article 3(2) — targeting of data subjects in the Union

Article 3(2) catches non-EU controllers and processors that target EU data subjects:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Recital 23 clarifies that the "offering" trigger requires more than the mere accessibility of a website or the use of a language used in the controller's home country — indicators include language localisation, EU currency, references to EU customers, or the apparent intent to envisage offering services to data subjects in one or more Member States.

Recital 24 clarifies that "monitoring" includes tracking of natural persons on the internet, including potential subsequent use of profiling techniques, particularly to take decisions concerning data subjects or to analyse or predict personal preferences, behaviours and attitudes.

For AI systems, the Article 3(2)(b) monitoring trigger is a common entry point — AI services that observe user behaviour for personalisation, recommendations, ad targeting, or behavioural analytics fall within it when the processing relates to behaviour taking place in the Union. Scope is assessed per processing activity, not per AI service in the abstract.

Article 3(3) — public international law

Article 3(3) extends scope to processing where Member State law applies by virtue of public international law (e.g. diplomatic missions, consular posts).

Article 27 — representative for non-EU entities

Article 27 requires a controller or processor not established in the Union but caught by Article 3(2) to designate in writing a representative in the Union. Limited exceptions in Article 27(2): processing which is occasional, does not include large-scale processing of special categories or criminal-conviction data, and is unlikely to result in a risk to the rights and freedoms of natural persons; or public authorities or bodies.

Article 4 — key definitions

Article 4 contains 26 numbered definitions. The most operationally important for AI use cases:

Article 4(1) — personal data: any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 4(2) — processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means.
Article 4(3) — restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
Article 4(4) — profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Article 4(5) — pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Article 4(6) — filing system: any structured set of personal data which are accessible according to specific criteria.
Article 4(7) — controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Article 4(8) — processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Article 4(11) — consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Article 4(12) — personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Article 4(13) — genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
Article 4(14) — biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Article 4(15) — data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

For AI use cases, the recurring definitional questions are (i) whether training data, embeddings, model parameters, or inference logs are personal data within Article 4(1), and (ii) whether the AI provider is acting as controller, joint controller, or processor for the data processed in each phase. These determinations drive almost all downstream obligations.

Layer	Modulos surface	Coverage
Scope and applicability	OFF-11 baseline requirements (the Article 1–3 scope determination + Article 27 representative designation is recorded as evidence linked to the relevant OFF-11 requirements, including `ORF-235` for Article 26–27)	Articles 1–3, Article 26 joint controllers, Article 27 representative
Definitions and roles	Documented per project at controller / processor / joint-controller decision	Article 4 — definitional assessment per processing activity
Per-system scope	MFF-12 baseline requirements	Per-AI-system applicability assessment

A typical setup:

Requirements — record GDPR scope-determining obligations on the OFF-11 organisation project; per-AI-system applicability on MFF-12.
Controls — implemented work (territorial-scope memo, Article 4 definitional assessment per processing activity, controller / processor decision memo, Article 27 representative designation) is documented as named controls.
Evidence — supporting records (sector and service qualification rationale, Article 3 establishment analysis, Article 3(2) targeting analysis where applicable, Article 27 representative agreement) are recorded once and linked to controls.
Readiness + fulfilment attestation — when controls are in a final state, the requirement becomes ready for review; the requirement owner attests fulfilment.

The Article 4(7)–(8) controller/processor decision should be revisited each time the AI system materially changes — adding a new processing purpose, a new vendor, or a new data category may shift the role.

Cross-framework mapping (preview)

GDPR scope area	EU AI Act (Regulation (EU) 2024/1689)	NIS2 (Directive (EU) 2022/2555)
Article 2 material scope	Article 2 AI Act scope (AI systems placed on the market, put into service, or used in the Union)	Article 2 NIS2 scope (size-cap + Annex I/II sectors)
Article 3 territorial scope	Article 2(1) AI Act extraterritorial reach for output used in the Union	Article 26 jurisdiction allocation
Article 4 definitions	Article 3 AI Act definitions (AI system, GPAI model, provider, deployer, etc.)	Article 6 NIS2 definitions
Article 4(7) controller	Article 3 EU AI Act provider / deployer roles — distinct concepts; one role does not collapse into the other	(no direct equivalent)
Article 27 representative	Article 22 EU AI Act authorised representative for non-EU providers	Article 26(3) NIS2 EU representative for Article 26(1)(b) digital-infrastructure entities

For the pairwise treatment with the EU AI Act see EU AI Act vs GDPR.

GDPR overview

Framework structure, dates, OFF-11 / MFF-12 split

Key principles and obligations

Article 5 principles, Article 6 lawful basis, Article 9 special categories, Articles 12–22 rights

Controller obligations and breach notification

Articles 24–32 obligations, 33–34 breach, 35 DPIA, 37 DPO

Operationalizing in Modulos

Practical rollout sequence for OFF-11 and MFF-12

EU AI Act vs GDPR

How the two binding EU Regulations interact for AI systems processing personal data

Source attribution

Regulation (EU) 2016/679 (GDPR) is published in the Official Journal of the European Union L 119, 4.5.2016, pp. 1–88; corrigendum in OJ L 127, 23.5.2018, pp. 2–5. Directive (EU) 2016/680 (Law Enforcement Directive) and Regulation (EU) 2018/1725 (Union institutions data protection) are individually published on EUR-Lex.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

Quick decision

TL;DR

Article 1 — subject matter

Article 2 — material scope

Article 3 — territorial scope

Article 3(1) — establishment in the Union

Article 3(2) — targeting of data subjects in the Union

Article 3(3) — public international law

Article 27 — representative for non-EU entities

Article 4 — key definitions

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

Scope and applicability — GDPR Articles 1, 2, 3, 4 ​

Quick decision ​

TL;DR ​

Article 1 — subject matter ​

Article 2 — material scope ​

Article 3 — territorial scope ​

Article 3(1) — establishment in the Union ​

Article 3(2) — targeting of data subjects in the Union ​

Article 3(3) — public international law ​

Article 27 — representative for non-EU entities ​

Article 4 — key definitions ​

How to operationalize GDPR scope in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

Scope and applicability — GDPR Articles 1, 2, 3, 4

Quick decision

TL;DR

Article 1 — subject matter

Article 2 — material scope

Article 3 — territorial scope

Article 3(1) — establishment in the Union

Article 3(2) — targeting of data subjects in the Union

Article 3(3) — public international law

Article 27 — representative for non-EU entities

Article 4 — key definitions

How to operationalize GDPR scope in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution