Skip to content

Who Does the GDPR Apply to?

Paige Harris May 27, 2022 8:00:00 AM

The General Data Protection Regulation (GDPR) is the primary policy in the European Union (EU) for protecting the personal data of EU citizens. It directs how organizations should handle and process this information. 

When you are first exposed to GDPR, you may wonder: Who does the GDPR affect? Does it only cover organizations in the EU, or does it also encompass organizations outside the EU? Are there any circumstances when the GDPR applies to US citizens?

Businesses can explain how they follow privacy regulations by using website terms of service generators to create TOS documentation for their websites easily. In addition to GDPR, user personal information protected by the privacy act. For now, let’s explore GDPR. 

What is the GDPR?

The GDPR is a data privacy law that became effective on May 25, 2018. It provides those individuals living in the EU with more control over how companies collect and use their online data. In effect, it enhances personal information protection. 

It also imposes stringent guidelines on the security of the personal data they accumulate from private individuals, including the mandatory use of technical safety measures like encryption and higher legal thresholds to justify data collection. Organizations that fail to comply are subject to hefty fines of up to four percent of their global annual revenue or twenty million euros, whichever is higher.

CTA Terms of Service GraphicWhich countries are under the GDPR’s jurisdiction?

Generally speaking, the GDPR encompasses all member states of the European Union (EU) and countries in the European Economic Area (EEA). However, it’s important to point out that the GDPR has an extraterritorial effect. It applies to all organizations that process personal data belonging to EU citizens—whether they have a location in the EU or not.

Does your organization need to comply with the GDPR?

Your organization must comply with the GDPR if:

  • Your organization is EU-based and processes personal information belonging to EU citizens and residents, regardless of where it is processed.
  • Your organization offers goods and services or monitors the behavior of EU citizens and residents, whether it has an EU location or not.

If you’re managing a business online, especially an e-commerce platform, you must be wondering if you need to have a published Terms of Service agreement on your website. While this isn’t a legal requirement, there is value in doing so. With a terms of service generator, you can provide your customers with information about governing laws, user rights policy, disclaimers, and website, app, and content ownership policies.


There are two notable exceptions to GDPR regulations–purely personal or household activity is not covered. For instance, if you've gathered email addresses to organize a barbeque with your colleagues on a Sunday afternoon, there is no need to worry about complying with the GDPR. 

The GDPR is only applicable to organizations involved in professional or commercial activity. However, if you’re gathering email addresses from friends to raise funds for a business project, the GDPR may apply to you.

The second exception applies to organizations with less than 250 employees. Small and medium-sized enterprises are not entirely exempt from the GDPR, but the policy does, in most cases, exempt them from record-keeping requirements.

Final Thoughts

If you think the GDPR applies to you, it would be best to familiarize yourself with the regulation. While some people believe the GDPR applies to US citizens, there is no federal data privacy law similar to the GDPR in the United States. However, the US Privacy Act protects personal information. This law outlines certain rights and restrictions on data held by US government agencies. No matter the region, one thing is sure—people demand online data protection. 

Leave a Comment