Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?
A . The behavior of suspected terrorists being monitored by EU law enforcement bodies.
B . Personal data of EU citizens being processed by a controller or processor based outside the EU.
C . The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
D . Personal data of EU residents being processed by a non-EU business that targets EU customers.
Answer: D
Explanation:
Article 3 of the GDPR specifies the territorial scope of the regulation. According to Article 3(2), the GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behavior as far as their behavior takes place within the Union.
Option D aligns with the criteria specified in Article 3(2)(a). If a non-EU business targets EU customers (or offers goods or services to individuals in the EU), then it falls under the territorial scope of the GDPR.
While option B may sound plausible, the mere fact of processing personal data of EU citizens outside the EU doesn’t automatically bring an entity under the GDPR’s scope. It’s the targeting of services or monitoring of behavior of individuals in the EU that triggers the GDPR’s extraterritorial effect.
Latest CIPP-E Dumps Valid Version with 157 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund