GDPR Compliance


Last modified: February 8, 2023
This page is regularly updated to reflect continued monitoring, accuracy and comprehensiveness.

man on laptop
Back to GDPR
Does the GDPR apply to me?
  1. Territorial Scope
  2. Material Scope
The GDPR has a broad reach, including extra-territorial reach. To decide whether we are covered under the GDPR, we need to consider both the ‘territorial scope’ and the ‘material scope’.

Territorial scope

Just one of these criteria must be met for the GDPR to be applicable.

  1. GDPR applies to the processing of personal data in the context of the activities of a controller or a processor established in the EU, regardless of whether the processing takes place in the EU or not. The presence of a single representative may be sufficient to satisfy the presence of an establishment.
  2. processing the personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to
    1. offering goods or services to data subjects in the EU, irrespective of whether a
      payment of the data subject is required and
    2. monitoring their behaviour in the EU.
  3. processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law.

Material scope

Activities must also fall within the material scope of the GDPR, as set out in Article 2.

  1. Processing personal data wholly or partly by automated means (without or partly without human intervention). It should not be confused with automated decision-making.
  2. Processing, other than by automated means of personal data, that forms part of a filing system.

This covers most activities done with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.


Exclusions to the material scope

The exclusions for data processing not regulated by the GDPR for purposes that include:

  1. Activities outside the scope of EU law: for example, national security activities
  2. Law enforcement and public security and
  3. Purely personal or household activities.