GDPR applicability, i.e. whether an organization is subject to the GDPR or not, is a tricky topic. The Regulation’s definition of personal data is very broad and can include things like IP addresses.
This means that as a business, you’re likely to process personal data. Therefore, you must consider whether the GDPR applies to you from a territorial perspective.
👀 It’s not easy. That’s why we compiled this short guide with all that you need to know + examples. Of course, we always recommend consulting a legal professional for understanding your specific situation. Let’s dive in!
In this post, we explain:
- What is the GDPR?
- Who is subject to GDPR (aka GDPR Article 3)?
- Who does the GDPR not apply to?
- Examples
GDPR Applicability: What is the GDPR?
The GDPR is a European regulation that became fully enforceable on May 25th, 2018. It is the most robust and strictest privacy law to date, and applies to the processing of personal data.
At its most basic, it specifies how personal data should be lawfully processed, collected, used, protected or interacted with in general.
GDPR’s main provisions include:
- having a valid legal basis for processing personal data;
- in many cases, before processing any personal data, obtaining explicit user consent and keeping records;
- honoring your users’ rights and requests;
- implementing organizational privacy measures and keeping user data safe.
🔍 A bit confused with European Privacy Laws? Check out this quick recap here!

💡 Not sure what privacy laws actually apply to you?
Who is subject to GDPR (aka GDPR Article 3)?
GDPR Article 3 sets out the conditions of territorial applicability, or in non-legalese, who is subject to the GDPR.
In short, the GDPR can apply where:
- an entity’s base of operations is in the EU
- this applies whether the processing takes place in the EU or not;
 
or
- an entity not established in the EU offers goods or services to people in the EU
- even if the offer is for free;
- the entity can be government agencies, private / public companies, individuals and non-profits;
 
or where
- an entity is not established in the EU, but it monitors the behavior of people who are in the EU
- provided that such behavior takes place in the EU.
 
Read the relevant paragraphs from the official text here
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services (…); or the monitoring of their behavior as far as their behavior takes place within the Union.
🔍 Key takeaways
👉 The GDPR can apply to you whether your organization is based in the EU or not;
👉 If you are an EU-based data controller, you must apply GDPR standards to all users (not only users in the EU)!
“Data controller” means any person or legal entity involved in determining the purpose and ways of processing the personal data.
Who does the GDPR not apply to?
There are 2 main instances in which GDPR may not apply to you. First, GDPR does not apply to you if you are not based in Europe AND if you are not targeting European users’ personal data. Secondly, GDPR does not apply to you if you are not processing any personal data at all. In both of those instances, the GDPR would not apply.
👋 Ready to tackle GDPR compliance?
GDPR Applicability: Examples
📍 When GDPR Does Not Apply
- Is a Japanese-based company subject to the GDPR if it processes personal data related to the selling of goods and services to Japanese users only?
👉 No! Because…
- the controller (or processor) is not based in Europe;
- processing relates to the selling of goods/services, but does not target European users.
🇺🇸 GDPR Applicability For US Companies
The GDPR is meant to protect European users, and therefore it can extend to foreign businesses too.
You might be wondering if the GDPR applies to you as a US-based company. It depends on many different circumstances, but if you are targeting European users, then yes it may apply to you and you must comply. If you aren’t, the law should not apply to you.