The territorial scope of the General Data Protection Regulation (GDPR) is defined in Article 3. It applies to organizations under two main criteria. First, it covers any organization with an "establishment" in the EU that processes personal data, regardless of whether the processing itself occurs within the EU. This is covered by the option "any organization that operates within the EU." Second, GDPR has an extraterritorial effect, applying to organizations not established in the EU if their processing activities are related to offering goods or services to data subjects in the EU or monitoring their behavior within the EU.

A. Incorrect because GDPR applies to organizations both inside and outside the EU, not "only" outside.

C. Incorrect because the word "only" is too restrictive; GDPR also applies to non-EU organizations targeting EU residents.

E. Incorrect because physical residence is not the sole criterion; targeting EU residents also triggers GDPR compliance, making "only" inaccurate.

1. Official Journal of the European Union

Regulation (EU) 2016/679 (GDPR).

Article 3

Paragraph 1: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union

regardless of whether the processing takes place in the Union or not." (Supports option D)

Article 3

Paragraph 2(a): "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union

where the processing activities are related to: (a) the offering of goods or services

irrespective of whether a payment of the data subject is required

to such data subjects in the Union..." (Supports option B)

2. European Data Protection Board (EDPB)

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version 2.1 (Adopted on 12 November 2019).

Section 2.1

Paragraph 13: "The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union. This is the “establishment” criterion under Article 3(1)." (Supports option D)

Section 2.2

Paragraph 34: "Article 3(2) introduces a specific criterion for the application of the GDPR to controllers and processors not established in the Union. This is the “targeting” criterion." (Supports option B)

3. Schwartz

P. M.

& Peifer

K. (2017). Transatlantic Data Privacy Law. Columbia Law School

Public Law Research Paper No. 14-555.

Page 11: "The GDPR has a broad territorial scope. It applies to any processing of personal data in the context of the activities of an establishment of a controller or processor in the EU... It also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the processing activities are related to the offering of goods or services to these data subjects..." (Supports both B and D)