Who Needs to Comply with GDPR? A Simple Test

Who does GDPR apply to? Run the three-question test: establishment, targeting, and monitoring. See who is exempt and how the fines actually work.


by Riad Us Salehin • 4 July 2026


GDPR applies to any organization, anywhere in the world, that processes the personal data of people located in the EU or EEA. This holds whether the organization is established in the EU, or simply targets or monitors people who are. Three questions decide it: what data you process, where the people are, and how you interact with them.

Below is that test in full, with who counts as established in the EU and when a company outside the EU still falls in scope. It also covers who is exempt and what the test means for a website's cookies.

Who Does GDPR Apply To? The Simple Test

Three questions decide GDPR scope:

  1. Do you process personal data?
  2. Are any of those people located in the EU or EEA?
  3. Are you offering them goods or services, or monitoring their behaviour, or is your organization established in the EU?

A yes to all three means GDPR applies. The size, industry, or home country of your organization does not decide the answer. Only where your users are, and what you do with their data, decides it.

This chain comes directly from Article 3 of the regulation, which sets GDPR's territorial scope. The European Commission puts it plainly. The rule depends on the nature of your activities, not the size of your company.

A one-person shop selling to EU customers can be in scope. A 500-employee company that never touches EU data is not.

The test matters because GDPR's fines scale with global revenue, not local presence. The most serious violations breach the core data-protection principles or ignore data-subject rights. They carry a maximum penalty of EUR 20 million or 4% of global annual turnover, whichever is higher. A lower tier of mostly procedural failures caps at EUR 10 million or 2% of global annual turnover, whichever is higher (Article 83). There is no US-dollar ceiling; the fine is set in euros against worldwide revenue.

GDPR Applies to Organizations Established in the EU

Any organization with a branch, subsidiary, or office in the EU is covered by GDPR if it processes personal data as part of its activities. This holds regardless of where the data is actually processed. This is the establishment limb of Article 3(1), and it is the simplest test. A physical or legal presence in the EU triggers it; the location of your servers does not matter.

The European Commission states this directly. GDPR applies to any branch established in the EU that processes personal data as part of its activities. That holds "regardless of where the data is being stored or used."

A German subsidiary of a US company is covered under this rule. That holds even if all its customer data sits on servers in Virginia.

GDPR's reach extends across the European Union's 27 member states. It also covers Iceland, Norway, and Liechtenstein under the European Economic Area (EEA). An establishment in any of these 30 countries triggers the establishment limb. For the underlying definition of the regulation itself, see what GDPR is and what it protects.

GDPR Applies to Organizations Outside the EU That Target or Monitor EU Residents

Even with zero EU presence, GDPR applies if your organization offers goods or services to people in the EU, or monitors their behaviour. This is the targeting and monitoring limb of Article 3(2). It is the reason GDPR reaches companies that have never opened an EU office.

The regulation's own text covers processing tied to "the offering of goods or services" to people in the EU. It also covers "the monitoring of their behaviour" while they are in the EU.

Payment is irrelevant here. A free app or a free content site can trigger the offering-goods-or-services limb just as easily as a paid one.

The European Commission's own examples draw the line clearly. An online education company based outside the EU that markets to Spanish and Portuguese universities is in scope. It targets EU individuals by name. A company that sells to customers outside the EU, and does not specifically target people in the EU, is not in scope. That holds even if a handful of EU residents happen to buy from it anyway.

That distinction matters because GDPR protects people located in the EU at the time of processing, not people who hold EU citizenship. A US citizen living in Berlin is protected by GDPR. A German citizen living in Chicago and buying from a US-only store generally is not, because the trigger is location and targeting, not passport.

GDPR's reach is extraterritorial by design: the regulation follows the data subject, not a border line. Other privacy regimes have since copied this same extraterritorial structure; see how data privacy laws around the world compare on reach.

Does GDPR Apply to US Companies?

Yes. A US company is covered by GDPR the moment it offers goods or services to, or monitors the behaviour of, people located in the EU. There is no US-based exception.

Many US companies meet this for the first time when an EU or UK client asks them to sign a Data Processing Agreement (DPA). That request often surfaces the obligation well before any regulator does. For the full US-specific checklist, thresholds, and the EU representative requirement, see GDPR for US companies.

What "Personal Data" Triggers GDPR?

GDPR covers any information that can directly or indirectly identify a living person. That definition is deliberately broad. It extends well past names and emails into technical identifiers most website owners collect without thinking of them as personal data.

Personal data under GDPR includes:

  • Names, email addresses, and postal addresses
  • IP addresses and online cookie identifiers
  • Location data
  • Biometric data
  • Health data

The inclusion of IP addresses and cookie identifiers is the detail that catches most website owners off guard. An analytics or advertising cookie set on a visitor located in the EU counts as processing personal data under GDPR's definition. That is true whether or not the site also collects a name or email address.

Who Is Exempt from GDPR?

Two categories fall outside GDPR: purely personal or household activity, and processing outside the scope of EU law such as law enforcement or national security. Outside those two narrow carve-outs, there is no general exemption.

The exemptions are:

  1. Purely personal or household activity. Keeping a personal address book or a private photo collection is not covered. The moment that same activity becomes professional or commercial, the exemption disappears.
  2. Processing outside the scope of EU law. National security, defence, and public security activities fall outside GDPR's scope, along with criminal law enforcement.

There is no exemption based on company size or being headquartered outside the EU. Those two facts are the most common source of confusion, and both are addressed directly in the sections above and below.

Does GDPR Apply to Small Businesses and Sole Traders?

Yes. GDPR applicability depends on the nature of your activities, not the size of your company, according to the European Commission. There is no small-business exemption. A five-person startup selling to EU customers carries the same scope obligations as a 5,000-person enterprise doing the same thing.

The one real concession is narrow. Organizations with fewer than 250 employees are freed from Article 30 record-keeping requirements in most cases. That concession disappears if the processing is a regular activity, poses a risk to people's rights and freedoms, or involves sensitive data or criminal records. Most businesses that run marketing cookies or handle customer accounts fall outside the concession for exactly that reason.

A sole trader is treated the same way as any other organization once their processing extends past purely personal use. A freelance consultant who stores client contact details and invoices for EU customers is processing personal data for a professional purpose. That places them inside GDPR's scope even though they operate alone. Once you have confirmed you are in scope, the next step is how to make your website GDPR compliant.

How GDPR Applies to Your Website and Cookies

Analytics or advertising cookies set on visitors located in the EU trigger two things at once: processing personal data, and monitoring behaviour under Article 3(2). Either one alone pulls a site into GDPR's scope, regardless of where the business is based. This is the moment most site owners actually cross into GDPR territory, well before they think of themselves as a data company.

Cookie identifiers and IP addresses count as personal data under GDPR's own definition. Tracking a visitor's on-site behaviour through those cookies is the textbook example of monitoring under Article 3(2)(b).

A US-based blog running Google Analytics on EU visitors meets both triggers at once. It processes personal data, and it monitors behaviour that takes place in the EU.

Once you have confirmed you are in scope, the first practical obligation is a lawful basis for that processing. For most non-essential cookies, that means valid, informed opt-in consent before the cookie loads. To see exactly how the GDPR governs cookies and what counts as valid consent, read the full guide.

How Consently Helps You Meet GDPR's Consent Requirements

Once GDPR applies to your site, the practical job is showing EU visitors a compliant consent banner and keeping a record of their choice. Consently's GDPR opt-in consent banner template is built for exactly that.

It uses an opt-in-first design that matches Article 3's targeting and monitoring triggers. Automatic region-based banner display then shows EU visitors the opt-in flow, while visitors elsewhere see the model that applies to them.

Two features handle the mechanics behind that banner. Cookie auto-blocking holds non-essential cookies and third-party scripts from loading until a visitor actually consents. The monitoring-behaviour trigger does not fire before a lawful basis exists.

Consent logs with export then give you a timestamped record of who consented and when. That record is the audit trail GDPR expects a controller to produce. The matching cookie and privacy policy generators cover the transparency documents that go alongside the banner.

None of this replaces legal advice, and it does not make a business "GDPR compliant" on its own. It handles the consent-banner, blocking, and logging obligations a covered site needs once you have confirmed you are in scope.

Consently's GDPR cookie consent solution is free to try for 14 days, no credit card required. Start your free trial to see the opt-in banner and consent log running on your own site.

FAQs

Who does GDPR apply to?

GDPR applies to any organization, anywhere in the world, that processes the personal data of people located in the EU or EEA. This covers organizations established in the EU and organizations outside the EU that target or monitor EU residents.

Does GDPR apply to US companies?

Yes. A US company is covered the moment it offers goods or services to, or monitors the behaviour of, people located in the EU. There is no minimum size or revenue threshold that exempts a US company from this test.

Does GDPR apply to small businesses?

Yes. GDPR applies regardless of company size; only the nature of the processing activity matters. The one size-based concession: companies under 250 employees are freed from Article 30 record-keeping in most cases. That exception drops away if the processing is regular, risky, or involves sensitive data.

Who is exempt from GDPR?

Only two categories: purely personal or household activity, and processing outside the scope of EU law, such as law enforcement and national security. There is no exemption for small size or for being based outside the EU.

Does GDPR apply to individuals?

Yes, once an individual's data processing extends past purely personal or household activity. A sole trader who stores client contact details and invoices for EU customers is processing data for a professional purpose. That puts them in scope even without a company behind them.

Does GDPR apply to individuals or companies?

GDPR governs personal data about individuals, not data about companies or other legal entities. A business name or generic company inbox is not personal data on its own. Details about a one-person company can still count as personal data when they identify a specific person.

Does GDPR apply to EU citizens living in the US?

GDPR follows location, not citizenship. An EU citizen living in the US and buying from a US-only store is generally outside GDPR's protection. A US citizen located in the EU is protected, because the trigger is where the person is at the time of processing.

Does GDPR apply if I only have a few EU visitors?

Not automatically. The targeting and monitoring test decides scope, not raw visitor count. A handful of incidental EU visitors to a site that ignores them is different from a site that actively offers them goods or services. It is also different from a site that monitors their behaviour through cookies or analytics.

Do I need a cookie banner to comply with GDPR?

If your site sets non-essential cookies on visitors located in the EU, you need a lawful basis. In practice that means valid opt-in consent captured before the cookie loads. The exact rules a compliant banner has to meet are covered in the section on your website and cookies above.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.