Who does GDPR apply to?

The General Data Protection Regulation (GDPR) applies to two main categories:

  1. Companies or entities established or with a physical presence in the EU that process the personal data of EU individuals.
  2. Companies or entities established outside the EU that offer goods/services or monitor the behavior of individuals in the EU.

If your company is a small or medium-sized enterprise (SME) and meets one of the above criteria, you must comply with the GDPR. However, if processing personal data is not a core part of your business and your activities do not pose risks to individuals, certain obligations of the GDPR may not apply to you.