Certified Information Privacy Professional – Europe (CIPP/E) — Question 32

Which of the following would MOST likely trigger the extraterritorial effect of the GDPR, as specified by Article 3?

Answer options

• A. The behavior of suspected terrorists being monitored by EU law enforcement bodies.
• B. Personal data of EU citizens being processed by a controller or processor based outside the EU.
• C. The behavior of EU citizens outside the EU being monitored by non-EU law enforcement bodies.
• D. Personal data of EU residents being processed by a non-EU business that targets EU customers.

Correct answer: D

Explanation

The correct answer, D, highlights that the GDPR applies to non-EU businesses targeting EU customers, thus triggering its extraterritorial effect. Options A and C involve monitoring by law enforcement and do not pertain to data processing, while option B refers to data processing outside the EU but lacks the targeting aspect that makes option D relevant under GDPR.