The factor "Offering Goods and Services to data subjects in Jurisdiction" means that the law is applicable to entities that actively target or direct their products or services to individuals within a specific jurisdiction, regardless of the entity's physical location. This factor extends the territorial scope of data protection laws beyond geographical boundaries, focusing on the intentional engagement with data subjects in a particular area.

European Union: General Data Protection Regulation (GDPR)

Article 3(2)(a) states:

"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union".

Key points:

• Applies to non-EU entities
• Covers both free and paid offerings
• Targets data subjects "in the Union"
• Focuses on intentional targeting of EU residents

India: Digital Personal Data Protection Act (DPDP)

Article 3(b) provides:

"Subject to the provisions of this Act, it shall— (b) also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India".

Key points:

• Extraterritorial application
• Covers digital personal data processing
• Focuses on activities related to offering goods or services
• Targets Data Principals (subjects) within India

Brazil: General Data Protection Law (LGPD)

Article 3(II) states:

"This Law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarter is located or the country where the data are located, provided that: II – the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory".

Key points:

• Applies regardless of entity type or location
• Covers offering or provision of goods or services
• Broad scope encompassing various processing activities

Serbia: Law on Personal Data Protection (LPDP)

Article 3(4)(1) provides:

"This Law shall apply to the processing of personal data of data subjects who have their domiciles and/or habitual residence in the territory of the Republic of Serbia by a controller and/or processor which do not have their seat and/or domicile or habitual residence in the territory of the Republic of Serbia, where the processing activities are related to: 1) the offering of goods and/or services, irrespective of whether or not a payment of the data subject is required for such goods and/or service, to such data subjects in the territory of the Republic of Serbia".

Key points:

• Applies to non-Serbian controllers/processors
• Covers data subjects with domicile/habitual residence in Serbia
• Includes both free and paid offerings
• Focuses on intentional targeting of Serbian residents

Thailand: Personal Data Protection Act (PDPA)

Section 5(2)(1) states:

"In the event that a Data Controller or a Data Processor is outside the Kingdom of Thailand, this Act shall apply to the collection, use, or disclosure of Personal Data of data subjects who are in the Kingdom of Thailand, where the activities of such Data Controller or Data Processor are the following activities: (1) the offering of goods or services to the data subjects who are in the Kingdom of Thailand, irrespective of whether the payment is made by the data subject".

Key points:

• Applies to non-Thai controllers/processors
• Covers collection, use, or disclosure of personal data
• Includes both free and paid offerings
• Targets data subjects in Thailand