Generally, the GDPR applies to data processing activities conducted by organisations established in the European Union (EU). But in certain activities, GDPR may also apply outside EU according to extra-teritorial principle. This principle has correlation to concept of sovereignty in international law. This article aims to examine whether a state must abide to GDPR when the requirement fulfiled or should the states use their sovereignty as a basis to deny it. This article is normative legal research. It focus on case-law, statutes and other legal source as primary and subsidiary source. The analysis is deductive by reasoning from more general to more specific. The result show that extra-teritorial principle under GDPR is in accordance to international law. The practice is common in the world in order to protect the citizen and national interest from any threat from abroad. The chance of overlapping between this principles with state’s sovereignty is hardly to occur as the principle only works when the interest of European citizen violated.