The scope of the GDPR

Establishment criteria

The GDPR applies to the processing of personal data carried out by organizations established on EU territory, whether the processing takes place in the EU.

Targeting criteria

The GDPR applies to the processing of personal data carried out by organizations whose activity targets people who are in the EU.

What about outsourcing?

The data controllers described by the establishment and targeting criteria, as well as their possible subcontractors (data processors), are all affected by the GDPR.

The latter may be:

IT service providers (hosting, maintenance), digital services companies, IT security companies
marketing or communications agencies, or
any organization offering a service involving data processing on behalf of another organization

Household exception

Note that the GDPR does not apply to data processing carried out in the course of strictly personal activities. Example: a list of contacts for the organization of a birthday party.

The scope of the GDPR ​

Establishment criteria ​

Targeting criteria ​

What about outsourcing? ​

Household exception ​

The scope of the GDPR

Establishment criteria

Targeting criteria

What about outsourcing?

Household exception