GDPR Compliance

1. GDPR applies to the processing of personal data in the context of the activities of a controller or a processor established in the EU, regardless of whether the processing takes place in the EU or not. The presence of a single representative may be sufficient to satisfy the presence of an establishment.
2. processing the personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to
   1. offering goods or services to data subjects in the EU, irrespective of whether a
      payment of the data subject is required and
   2. monitoring their behaviour in the EU.
3. processing of personal data by a controller not established in the EU but in a place where member state law applies by virtue of public international law.

Material scope

Activities must also fall within the material scope of the GDPR, as set out in Article 2.

1. Processing personal data wholly or partly by automated means (without or partly without human intervention). It should not be confused with automated decision-making.
2. Processing, other than by automated means of personal data, that forms part of a filing system.

This covers most activities done with data, including collecting, recording, storing, accessing or viewing, using, analyzing, combining, disclosing or deleting personal data.

Exclusions to the material scope

The exclusions for data processing not regulated by the GDPR for purposes that include:

1. Activities outside the scope of EU law: for example, national security activities
2. Law enforcement and public security and
3. Purely personal or household activities.