November 2, 2021

Who does GDPR apply to?

Are you aware if GDPR applies to your business? Learn all about who GDPR applies to right here in this blog post.

The GDPR applies to persons and businesses:

  • From the EU. This includes all the businesses incorporated in the EU, as well as individuals from a EU country.
  • That controls and/or processes personal data of EU citizens. Although the General Data Protection Regulation (GDPR) originates in the EU, it applies to companies outside the EU offering goods and services (paid or free), or those who monitor the behavior of individuals within the region. This includes all the EU businesses, as well as foreign businesses that collect and process data of EU citizens. For example, a US company that collects and processes personal data of EU citizens has to comply with the GDPR when processing their data.

Simply put:

  • If you are an EU business, GDPR applies to you at all times, and
  • If you are a non-EU business, GDPR applies to you only when interacting with EU citizens.

Does GDPR Apply To Small & Medium-Sized Businesses?

Yes, it does as long as you meet the above mentioned requirements. The GDPR does not discriminate based on business size.

There are some GDPR duties that apply only to businesses of a certain size or businesses with certain data processing activities, but in general, the regulation applies to all.

For instance, companies with fewer than 250 employees don’t need to keep records of their processing activities unless processing of personal data is a regular activity, poses a threat to individuals’ rights and freedoms, or concerns sensitive data or criminal records.

Similarly, SMEs will only have to appoint a Data Protection Officer if the processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on a large scale.

Read more about how to make your business GDPR compliant.

Does the GDPR apply to UK companies?

The United Kingdom is not an EU country, therefore GDPR is not applicable in the UK. However, UK businesses need to comply with it anyway.

GDPR is applicable to any company worldwide when they collect and process data of EU citizens. That also includes UK companies.

Moreover, UK companies must comply with the UK GDPR law. This law was introduced to align the data protection requirements for UK and EU companies after Brexit. Take a look at this UK GDPR checklist for businesses.

There are barely any differences between the GDPR and the UK GDPR, therefore if you comply with the GDPR, you are likely compliant with the UK law as well.

Does the GDPR apply to US companies?

The GDPR applies to US businesses that process the personal data of EU citizens. If you process data of at least one EU citizen, then it applies to you.

Simply put, GDPR may apply in the US when an EU user’s data is processed by a US company.

However, it applies only to your relationship to the EU user. You need to respect their GDPR data privacy rights, but that doesn’t mean that you need to abide by the GDPR when processing data of US citizens. When a US company processes data of US citizens or any other non-EU citizens, GDPR does not apply to them.