Who does GDPR apply to?

GDPR applies to most organizations that process the personal data of individuals residing in the European Union regardless of where they are established, and where the processing activities occur. The scope of the GDPR is broad and extraterritorial, meaning it can also apply to organisations outside of the EU.

Article 3 of GDPR mentions its territorial scope. It applies to any organization that is:

  • Established in the EU and processes personal data of EU citizens or residents. 
  • Not established in the EU but offer products or services or monitor individuals in the EU.

Offering products or services means that even if you are not conducting any commercial activity, your business intent to target EU residents will be considered. 

Monitoring behaviour would include activities that allow your business to track EU residents. For instance the use of tracking cookies or IP addresses.