This article is written in collaboration with a law agency. However, it is intended for general information purposes only. It does not constitute a client-attorney relationship or personalized legal advice.
- Do you sell and ship products to the EU? Yes.
- Do you offer a digital service (free or paid) that’s targeted at customers inside the EU? Yes.
- Do you systematically process or process on a large scale the personal data of EU-based customers? Yes.
- Do you offer a digital service that’s also used by EU-based customers, but you don’t actively target them? Maybe not.
- Do you have a simple blog or website with comments that is not aimed at EU-based visitors? Probably not.
If you are still unsure, we recommend getting legal assistance, as this is a confusing topic.
Note that if GDPR applies to you, it’s also likely that you might need to appoint an EU-based representative. Read more about appointing the representative here.
The scope of GDPR is defined like this:
Territorial scope (GDPR Art. 3)
GDPR applies to businesses (both controllers and processors) both in- and outside of the EU. If you are not located in the EU but offer goods/services to individuals in the EU or monitor their behaviour, GDPR applies to you too.
Material scope (GDPR Art. 2)
If you process individual’s personal data wholly or partly by automated means and or process personal data which form part of a filing system or are intended to form part of a filing system, GDPR applies to you.
If your data processing falls into the scope, GDPR will most likely apply to you in the same way as it applies to EU-based companies.