Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Who does the GDPR apply to?

Who Does The EU GDPR Apply To

The General Data Protection Regulation (GDPR) is the main regulation in the European Union that dictates how organizations process EU citizens’ personal data.

However, to whom does the GDPR apply? Does it affect all businesses in the EU, and do businesses outside the EU need to comply?

Does GDPR apply to both the EU and EEA?

The GDPR applies to all Member States of the European Union (EU) and countries in the European Economic Area (EEA).

What is specific to the GDPR is its extraterritorial effect, which means it protects the personal data of EU citizens and residents and applies to all organizations that process such data, whether they are EU-based organizations or not.

Does your company need to comply with the GDPR?

Your company needs to comply with the GDPR if it falls into one of the two categories:

  1. Your company is based in the EU and processes personal information of EU citizens and residents
  2. Your company is not based in the EU but offers products or services to EU citizens or residents or monitors their behavior.

What does it mean to offer goods and services to EU citizens?


Even if you are not conducting any commercial activity, the intention alone will be interpreted as offering goods and services to EU citizens.

For example, if your company has a website that displays any EU member state currency (not all EU countries have instated EUR), or you have a website on the language of one of the member states, or ship goods to the EU, it is interpreted as offering goods and services to the EU citizens.


Monitoring the behavior of EU citizens sounds ominous, but it is really simple, and you might fall into this category.

If your company uses cookies or tracks the IP addresses of your website visitors from EU countries, the GDPR will apply to your business as well.

Does the GDPR apply to an individual?

The GDPR does not apply to a natural person in terms of conducting a ‘personal or domestic’ activity, as it is discussed in Recital 18:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.

Personal or household activities could include correspondence, addresses, or social networking and online activity..

However, GDPR applies to controllers or processors that provide the means for processing personal data for such personal or household activities.

Difference between a data controller and data processor

Does the GDPR apply outside the European Union?

YES….under certain circumstances.

The GDPR protects the data of its citizens and residents, even if it is transferred outside the EU zone, which means that the GDPR applies to all organizations EU and non-EU, that process the personal information of European citizens.When does the GDPR apply outside the Europe

An example would be a China-based company that collects data from EU citizens.

The same legal obligations apply to the company, as though it has its headquarters in the EU, although it doesn’t even need to have any offices in the territory of any EU country.

If they offer goods or services to EU citizens or monitor the behavior of individuals within the EU, they will have to comply with the GDPR.

Supervisory authority monitors and enforces the application of the GDPR. Although the Supervisory Authority has limited enforcement powers against overseas entities without representatives based in the EU, it might seek to coordinate with foreign regulators in taking enforcement action.

Are you accountable as a Data Processor?

Maybe you are not going to like this, but- YES!

In fact, we have mentioned the GDPR fine issued to the data processor way back, and we can expect this is not going to be an isolated case.

The fine was issued for a breach of Article 32 in the amount of €50,000.

To understand your obligations better,  you have to determine whether you are a data controller or a data processor.

Note that in certain situations, you will be a data processor, and in certain situations, you will be a data controller. It will depend on the circumstances.

The most important question to ask yourself is: Do you determine the purpose of the processing, or are you just an executor?

Difference between data processor's and data controller's obligations under the GDPR


However, both controllers and processors should implement appropriate security measures.

The GDPR places legal obligations on data processors to maintain records of personal data and how it’s processed. Controllers need to ensure they have contracts with processors and comply with GDPR.

Three questions to find out if the GDPR applies to you

1. Do you process EU residents’ personal data?

If you process EU residents’ personal data, then GDPR applies to you. It doesn’t matter if an individual resides outside of an EU state. GDPR is there to safeguard the personal data of all EU citizens, so even in that case, GDPR applies to you.

2. What does it mean if your company hires less than 250 employees?

Organizations must comply with the GDPR even when hiring less than 250 employees. It means that many small and medium-sized enterprises (SMEs) that process personal data of individuals in the European Union or sell goods or services to the EU are obligated to comply.

3. Do you engage in economic activity?

The Regulation does not apply to the processing of personal data of EU citizens if it is exclusive to purely personal or household activities.

What are the penalties for non-compliance?

The General Data Protection Regulation recognizes two levels of fines for less severe and very severe violations.

Non-compliance may result in administrative fines of up to €20 million or up to 4 % of the total worldwide annual turnover of the previous financial year, whichever is higher.

What now?

Now that you have a better insight into who EU GDPR applies to, you can take step-by-step actions to achieve compliance and become, but also remain, an organization that takes care of its customers’ data.

If you’ve realized that the GDPR applies to your organization, check out our solutions for GDPR-related issues. 

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top