Who does GDPR not apply to?

Asked by: Mr. Kennedi Considine PhD  |  Last update: April 17, 2026
Score: 4.2/5 (62 votes)

The GDPR generally doesn't apply to processing data for purely personal/household activities, activities outside the EU's scope (like purely governmental/law enforcement/national security), or data that's fully anonymized/deceased persons/companies, but it does apply broadly to companies processing EU resident data, even if the company is outside the EU, if they offer goods/services to or monitor EU residents. Small businesses aren't exempt but have reduced record-keeping, while the UK has its own UK GDPR, notes CookieScript.

Who does the GDPR not apply to?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

Who is exempt from GDPR?

Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.

Does GDPR apply to everyone?

Yes, individuals can be subject to the GDPR, if their data processing is beyond the scope of “purely personal or household activity” as defined in Article 2 of the GDPR.

Which countries do not follow GDPR?

List of Non-GDPR European Countries

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Kosovo.
  • Moldovia.
  • Montenegro.
  • North Macedonia.
  • Russia.

Are YOUR Digital Rights Under Attack? | GDPR Reform

17 related questions found

Does GDPR apply to the USA?

Yes, the EU's GDPR (General Data Protection Regulation) applies to U.S. companies and organizations if they offer goods or services to, or monitor the behavior of, individuals located in the European Union (EU), even if the company is based in the U.S. and data processing occurs in the U.S. It has extraterritorial scope, meaning it protects EU residents' data wherever the processing happens, requiring U.S. entities to comply with EU data protection standards and grant EU individuals specific rights. 

What is not protected under the GDPR?

The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

What are the 7 main principles of GDPR?

The 7 principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness & Transparency (process data legally, fairly, openly); Purpose Limitation (use data only for specified, legitimate reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity & Confidentiality (secure the data); and Accountability (demonstrate compliance).
 

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Is GDPR only for EU citizens?

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

Which country has the strictest privacy laws?

Which Country Has the Strictest Data Privacy Laws? The country with the strictest data privacy laws related to the internet is Iceland. Many people have referred to Iceland as Switzerland for data. It has incredibly strict privacy laws, and these laws were passed in 2000.

How to explain GDPR in simple terms?

GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data.

What are the 10 key requirements of GDPR?

  • 10 key GDPR requirements. ...
  • Lawful, fair, and transparent processing. ...
  • Purpose, data, and storage limitation. ...
  • Data accuracy and security. ...
  • Data Protection Impact Assessments (DPIAs) ...
  • Privacy by design and default. ...
  • Controller–Processor contracts (Article 28) ...
  • Data subject rights enablement.

Does GDPR apply to a deceased person?

The General Data Protection Regulation (GDPR) does not apply to the personal data of deceased persons.

Does UK GDPR apply to US companies?

GDPR Compliance Challenges for US Companies. The General Data Protection Regulation (GDPR) has far-reaching implications for companies operating in the European Union (EU). However, US companies are also subject to the GDPR's requirements, even if they are not specifically targeting EU or UK customers.

Who is required to be GDPR compliant?

While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.

Does GDPR apply to small businesses?

Yes, small businesses must adhere to the data protection principles, which include the same eight rights that apply to large businesses.

Is email consent allowed by GDPR?

GDPR Email Marketing

Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller to send e-mail marketing.

What are the eight principles of GDPR?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What are the basic GDPR rules?

Anyone responsible for using personal data must make sure the information is:

  • used fairly, lawfully and transparently.
  • used for specified, explicit purposes.
  • used in a way that is adequate, relevant and limited to only what is necessary.
  • accurate and, where necessary, kept up to date.
  • kept for no longer than is necessary.

Does the DPA apply to all organizations?

Any business that collects personal data and uses third-party services to process that information needs a data protection agreement (DPA).

What are the 7 golden rules of data protection?

The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.

What is considered non-personal data?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person. Examples of non-PII include, but are not limited to: Aggregated statistics on the use of product/service. Partially or fully masked IP addresses.

What is Article 23 of the GDPR?

(i)the protection of the data subject or the rights and freedoms of others; (j)the enforcement of civil law claims. (h)the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Does GDPR apply to private individuals?

Any entity that does so is required to comply with the GDPR, regardless of whether it's a business, organization, or individual. However, according to Article 2 of the GDPR, the GDPR does not apply to individuals if they collect personal information as a “purely personal or household activity.”