GDPR. Scope of application. Who has to comply?

How to deal with the personal data of EU customers? How to avoid a fine of up to 20 million euros or up to 4% of the company’s annual global turnover for the previous fiscal year, whichever is greater?

In order to answer these questions, we will define the territorial and subject matter scope of the GDPR, followed by a breakdown of the key concepts of the EU General Data Protection Regulation.

Territorial scope of GDPR

According to Article 3 GDPR applies:

  • To the processing of personal data obtained through the activities of an EU-registered controller or processor, regardless of whether the processing takes place in the EU or not.
  • To the processing of personal data of those subjects (natural persons) located in the EU by a controller or processor not registered in the EU, where the data processing is related to: the sale or offer to sell goods or services to subjects located in the EU, regardless of whether payment for those goods or services is required from the subject; or the monitoring of the subjects’ conduct, where that conduct occurs within the EU.
  • To the processing of personal data by a controller not established in the EU, but in a place where the law of the Member States applies on the basis of public international law.

Scope of the GDPR

According to Article 2, the GDPR does not apply:

  • to the processing of personal data that takes place partially or entirely by automated means and to the processing by non-automated means, if the personal data constitute or will constitute part of the filing system.
  • to the processing of personal data: in the course of activities that do not fall within the scope governed by EU law; carried out by an EU Member State and falling under Chapter 2 of Title V of the TEC;
  • processing carried out by a natural person solely in the course of personal activities or the management of the household; carried out by competent authorities for the prevention, investigation, detection of criminal acts or prosecution or the enforcement of criminal penalties, including to protect against threats to public security and their prevention.

Processing of personal data. What is this?

This phrase is composed of two main parts, which are defined in Article 4 of the GDPR.

According to this article, they mean the following.

  • “Personal data” is any information relating to an identified or identifiable natural person (“data subject/subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular through such “identifiers” as name, surname, identification number, location data, online identity or through one or more characteristics specific to the person in question, in particular physical, physiological, genetic, spiritual, economic;
  • “Processing” is any operation or set of operations that is performed on personal data or on sets of personal data, by automatic or non-automatic means, in particular this definition includes: collection, recording, organization, structuring, storage, adaptation or modification, review, use, disclosure (by transmission, distribution or otherwise, making them available), classification or combination, restriction, erasure or destruction;
    If the above applies to you, then your next step should be to bring your company’s internal policies and mechanisms for dealing with personal data into compliance.

In case you have additional questions, please feel free to chat with our lawyers. Legarithm attorneys have significant experience in implementing GDPR compliance policies in their company’s operations.


Mon-Fri 10:00-19:00


Konyskoho St. 55А, Kyiv, Ukraine, 04053


Mon-Fri 10:00-19:00


Harju maakond, Tallinn, Kesklinna linnaosa, Tuukri tn 19-315, 10152


Mon-Fri 10:00-19:00

United States

228 Park Ave S PMB 516920 New York, New York 10003-1502 US