_ Article

Who Does GDPR Apply To? Everything You Need To Know

The General Data Protection Regulation (GDPR) is the core of the European Union’s privacy rights movement and the most thorough framework passed to date. Enacted on May 15, 2018, the legislation affects every organization that handles the personal information of European citizens.

Even though the GDPR defines privacy and which organizations must comply, it can still be unclear who falls under the regulations, especially for businesses that don’t physically operate in the EU.


Who does GDPR apply to?

While the GDPR affects all EU businesses, it also applies to many organizations that interact with consumers in any of the 27 member states.

GDPR compliance is a requirement for companies that:

  • Operate in the EU and process the personal data of its citizens or residents

  • Operate outside the EU but offer products and services to its citizens or residents

  • Operate outside the EU but monitor the behavior of its citizens or residents

While the need to comply with the GDPR is pretty clear for businesses operating in the EU, marketing operators of non-EU enterprises can easily face confusion when it comes to which data privacy laws apply to them. Two questions that we see non-EU companies frequently ask regarding this are:

  • Does GDPR apply to US citizens?

  • Does GDPR apply to my website?

It’s important for CMOs and their marketing teams to understand whether or not they must comply with the GDPR. Let’s clarify what the two conditions for non-EU companies listed above actually mean.

Clarifying GDPR compliance requirements for non-EU businesses

Understanding the GDPR’s definition of offering goods and services/monitoring behaviors is key to assessing whether or not your organization is required to comply with the privacy laws.

Offering goods and services

For these companies, attempting to do business with any consumer located in the EU is often enough to fall under the GDPR. The European Data Protection Board, designed to enforce the new data privacy laws, looks for businesses that “direct activity” to the EU market. Other than receiving payment from EU residents, activities that require GDPR compliance include:

  • Marketing campaigns that target an audience in the EU

  • Having a dedicated address or phone number from the EU

  • Mentioning clients that reside in an EU member state, including endorsements

  • Having an EU domain name

  • Using any EU languages or currencies

  • Delivering products to an EU state

Monitoring behaviors

The other condition that requires non-EU businesses to comply with the GDPR is “monitoring the behavior” of EU residents, but what does that mean for marketers? For our purposes, monitoring can be either over the internet or through any method that involves processing personal data. Activities that fall into this category include:

  • Behavioral advertising

  • Monitoring a person’s health status

  • Geo-localization for advertising purposes

  • Behavioral studies and market surveys

  • Online tracking using cookies

  • Offline tracking methods like fingerprinting

  • CCTV monitoring

  • Online health analytics

In addition to these activities, a non-EU company must comply with the GDPR if it:

  • Employs even a single worker in the EU

  • References EU customers in any marketing or advertising effort

  • Has a business plan that references obtaining EU customers

While this is not an exhaustive list of activities that can make a non-EU business fall under the GDPR, and there are still some gray areas in the regulations, any of them can trigger a need for GDPR compliance.

Does GDPR apply to you?

We’ve covered which businesses must comply with the GDPR, but who in the organization is responsible for maintaining compliance? There are two types of people who the GDPR mainly applies to: data controllers and processors. Also, anyone who was subject to the United Kingdom’s Data Protection Act is likely required to maintain GDPR compliance.

A controller is a person or entity that, by themselves or as a joint effort, determines the purposes of personal data, while a processor is a person or entity that processes that data on behalf of a controller.

According to the United Kingdom’s Information Commissioner’s Office, data controllers and processors have “significantly more legal liability” if they are responsible for a data breach. Maintaining compliance is a new obligation for them under the GDPR.

The GDPR requires processors to maintain records of how personal data gets processed, and it requires controllers to ensure that their processors maintain compliance.

How Actito helps marketers maintain GDPR compliance

Our agile customer activation platform has helped hundreds of businesses attract and retain customers, increase conversions, and boost revenues, all while staying fully compliant with the GDPR legislation. Here’s how Actito can get your business GDPR compliant:

  • Create GDPR-compliant data collection forms and securely store proof of consent

  • Keep audit trails of every change in data

  • Use first-party data to ensure your data processing methods are within the scope of customer consent

  • Only collect and process the data for purposes that the customer consented to

  • Ensure the data you process is qualitative

  • Automatically delete or archive inactive data

With Actito, you can focus on building meaningful, lasting customer relationships rather than worrying about GDPR compliance.

About the author


Véronique Buhler

Head of Corporate Marketing

Veronique has been fortunate enough to live and breathe marketing technology for 15 years on both sides of the English Channel. Her lifestyle is heavily influenced by English culture, music is certainly no exception. You can find her trying out new recipes, taking part in an art workshop, or exploring the fascinating world we live in.

Want to receive our GDPR content directly in your inbox?