Regulation 2016/679 contains a great deal of novelty regarding the scope of the rules contained therein; companies that direct their services to, or offer their products to, subjects who are on the EU territory, will be subject to EU discipline, regardless of the principle of territoriality [art. 3 (2)]. The same goes for monitoring the behavior of individuals in the EU.

This solution responds to the questions raised in the Internet and cloud computing contexts, as well as in all those situations where we use outsourcer chains around the world.

So, summarizing, Regulation 2016/679, for anti-elusive purposes, states that companies that

are subject to the Union's data protection discipline, irrespective of whether they have an establishment on the territory of the EU [art. 3. (2) and art. 27 Reg.].

For the rules of Regulation 2016/679 to be applicable, it is sufficient for the promotion of goods and services be directed to consumers in the Union, such as through online trade, or implying the enforcement of contractual obligations that imply the use of personal data of one of the parties in the EU. As stated in art. 3.2, lett. (a), the application of the rules of the Regulation does not require that the supply of goods or services or the performance of the contract have to be paid (recital 23).

In order to determine whether the activity carried out by the Controller consists of "behavioral monitoring" - for the purposes of applying Regulation 2016/679 also for a Controller without his own establishment in the EU territory, as set out in Recital (24) - it must be verified that the processing activity is carried out within the Union and that the data subjects are traced on the Internet with techniques that apply a profile to each individual (profiling), in particular in order to take a decision on the data subject or for behavioral or predictive analysis of his or her preferences, behaviors, or attitudes.