Step 2: Check whether you process the data in the context of the activities of that establishment
Once you have verified that you process personal data and that you have an establishment or “stable arrangement” in the Union, you can proceed to check whether the data is processed in the context of the activities of that establishment.
Not every company with an establishment in the Union falls under the applicability of the GDPR. For the Regulation to apply, the activity carried out by the establishment in the Union must be inextricably linked to the activities of the company out of the EU.
The inextricable linkeability of the activities is a matter that must be assessed in a case by case basis. In the Google case, the CJEU stated that the activities of advertising space by the Google subsidiary were inextricably linked to the activities of search engine of the parent company Google Inc., since the former was necessary in order to render the search engine economically profitable and that engine was, at the same time, the means enabling those advertising activities to exist (vid. Google Spain SL, Google Inc. v. AEPD, Mario Costeja González, C-131/12, p. 56)
In such circumstances, the activities of the operator of the search engine and those of its establishment situated in the Member State concerned are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.
The economic profitability is a strong support to argue for the existence of an inextricable link. However, this is not the sole criteria and other may be appreciated in a case by case basis.
For the Regulation the nationality or the citizenship of data subjects are not relevant factors, nor is the place where the data is processed.
Finally, the mere existence of a relation controller-processor does not automatically trigger the obligations of the GDPR, specially when the controller is established outside of the EU and contracts a processor in the Union.
If you are a controller or processor, you need to apply the GDPR to those processing activities carried out in the context of the activities of an establishment in the Union.