GDPR is known for punishing data privacy violations with steep fines, with some penalties in the hundreds of millions of euros. 

To avoid violations and fines, it’s essential you understand if your business falls within the scope of GDPR.

Who does GDPR apply to?

While it is EU legislation, GDPR applies to any organization that collects and processes personal data from EU residents.

More specifically, GDPR applies to:

  • Organizations that are based in the EU: Organizations based in the EU or with a branch or subsidiary in the EU are expected to comply, no matter where the data is being stored or used. 
  • Organizations based outside of the EU that are offering goods/services to individuals in the EU: In this case, it doesn’t matter if the organization is based outside of the EU or if the goods and services are offered for free. What matters is if the organization caters to EU customers. For example, if a US company provides tutoring services to a target audience residing in France, then the US company is expected to comply. 
  • Organizations based out of the EU that are monitoring the online behavior of individuals in the EU: In this case, it doesn’t matter if the organization is based outside the EU. If they are tracking cookies or the IP addresses of people who visit their website from EU countries, then they are expected to comply with GDPR. 

Does GDPR apply to US companies?

Companies that aren’t physically located in the EU can still fall within the scope of GDPR. That means businesses all over the world may need to comply with GDPR requirements — including companies in the US. 

Example

Because GDPR’s scope is relevant to EU residents’ personal data, this legislation may impact businesses all over the world. However, many businesses underestimate its reach.

Let’s take a look at an example of a business that must comply with GDPR below. This is based on an example posted by the European Commission. 

A service provider is based in the US. Its clients can use its services when they travel to other countries, including within the EU. It specifically targets its services at individuals in the EU but also provides them to customers outside the EU. Does GDPR apply to this business?

Yes, because it specifically targets its services at individuals in the EU. If it did not specifically target them, then it would not be subject to the rules of GDPR. 

Does GDPR apply to US citizens or residents?

GDPR does not apply to US citizens or residents, but it has inspired similar data privacy laws in the US, most notably the California Consumer Privacy Act (CCPA).

Like GDPR does for EU residents, the CCPA gives California residents greater insight into and control over how businesses collect and use their personal information.

FAQs

Who is eligible for GDPR?

The GDPR applies to companies that process personal data as part of the activities of one of its branches established in the EU, as well as companies established outside the EU that offer free or paid goods/ services or monitors the behavior of individuals in the EU.

Who does GDPR not apply to?

GDPR does not apply to data subjects if they are dead or a legal person and does not apply to people who process data for purposes beyond their trade, business, or professional.

Who is protected under GDPR?

EU residents are protected under GDPR.