Who has to be GDPR compliant?

Asked by: Gregorio Hermiston Sr.  |  Last update: May 28, 2026
Score: 4.2/5 (45 votes)

GDPR (General Data Protection Regulation) applies to any organization (EU or non-EU) that processes personal data of individuals within the EU/EEA, whether by having an EU presence, offering goods/services (free or paid) to them, or monitoring their behavior (like website tracking). This includes businesses of any size, non-profits, and even individuals, if they fit the criteria, covering data controllers (deciding why data is processed) and processors (acting on behalf of controllers).

Who is required to be GDPR compliant?

While the GDPR is an EU law, it applies to any company that makes its website or services available to EU citizens, including US companies.

Who is exempt from GDPR?

Some of the most common exemptions include businesses that do not process personal data of living persons, businesses that have no connection with the European Union, derogations for businesses with less than 250 employees, or data processing primarily for personal/household activities.

Does GDPR apply to US citizens?

Yes, GDPR applies to U.S. citizens if they are physically located in the European Economic Area (EEA) when their data is processed, regardless of their nationality; citizenship doesn't matter, only location, meaning tourists, students, or residents in the EU are protected, while U.S. citizens in the U.S. are not. The regulation's scope is territorial, so if a U.S. citizen visits the EU and uses an app or buys something, GDPR rules apply to that data processing. 

Do I need to be GDPR compliant?

The GDPR states that any entity which collects or processes the personal data of residents of the EU must comply with the regulations set forth by the GDPR.

What are the 7 principles of GDPR?

22 related questions found

Do small businesses have to comply with GDPR?

Small websites must comply with GDPR if they collect or process the personal data of individuals in the EU. Compliance is based on the nature of data processing activities rather than the size of the website or organization.

Is the GDPR mandatory?

Yes, GDPR is mandatory for all companies that process personal data of individuals residing in the European Union (EU). It applies to both EU-based organizations and non-EU companies that offer goods or services to EU residents or monitor their behavior.

What is the closest law to GDPR in the USA?

The US equivalent of the GDPR is the CCPA or California Consumer Privacy Act. It was inspired by the GDPR, and both laws protect the personal data of consumers.

Who does the GDPR not apply to?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

What is GDPR compliance in the USA?

For U.S. businesses, achieving GDPR compliance involves meeting several key requirements: Data Protection Principles: Adhering to principles such as lawfulness, fairness, transparency, data minimization, accuracy, storage limitation, and integrity and confidentiality.

What countries require GDPR?

European Union (EU) member states covered by GDPR

  • Austria.
  • Belgium.
  • Bulgaria.
  • Croatia.
  • Cyprus.
  • Czech Republic.
  • Denmark.
  • Estonia.

How to explain GDPR in simple terms?

GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data.

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

What are the 7 principles of GDPR compliance?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

Which countries are not GDPR compliant?

The following European countries have not adopted the GDPR:

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Croatia.
  • Kosovo.
  • Moldova.
  • Montenegro.
  • North Macedonia.

What are the 10 key requirements of GDPR?

  • 10 key GDPR requirements. ...
  • Lawful, fair, and transparent processing. ...
  • Purpose, data, and storage limitation. ...
  • Data accuracy and security. ...
  • Data Protection Impact Assessments (DPIAs) ...
  • Privacy by design and default. ...
  • Controller–Processor contracts (Article 28) ...
  • Data subject rights enablement.

Does GDPR apply to everyone?

Yes, individuals can be subject to the GDPR, if their data processing is beyond the scope of “purely personal or household activity” as defined in Article 2 of the GDPR.

Who must comply with GDPR requirements?

GDPR compliance requirements apply to companies and businesses that collect or process EU-originating personal data while offering goods or services to the data subject or monitoring their digital behavior – regardless of whether that data processing takes place within the EU.

What is considered non-personal data?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person. Examples of non-PII include, but are not limited to: Aggregated statistics on the use of product/service. Partially or fully masked IP addresses.

Does GDPR apply to American citizens?

Yes, GDPR applies to U.S. citizens if they are physically located in the European Economic Area (EEA) when their data is processed, regardless of their nationality; citizenship doesn't matter, only location, meaning tourists, students, or residents in the EU are protected, while U.S. citizens in the U.S. are not. The regulation's scope is territorial, so if a U.S. citizen visits the EU and uses an app or buys something, GDPR rules apply to that data processing. 

What are the 4 types of data privacy?

The document outlines four types of privacy: physical privacy, which protects against physical harm; territorial privacy, which involves setting boundaries to control access to a locality; communication privacy, which maintains the security of personal data during exchanges; and informational privacy, which focuses on ...

Do US companies have to abide by GDPR?

The General Data Protection Regulation (GDPR) has far-reaching implications for companies operating in the European Union (EU). However, US companies are also subject to the GDPR's requirements, even if they are not specifically targeting EU or UK customers.

What are the 7 regulations of GDPR?

The 7 core principles of GDPR (General Data Protection Regulation) are: Lawfulness, Fairness, and Transparency (process data legally and openly); Purpose Limitation (use data only for specified reasons); Data Minimisation (collect only necessary data); Accuracy (keep data correct and up-to-date); Storage Limitation (don't keep data longer than needed); Integrity and Confidentiality (secure the data); and Accountability (be responsible for compliance). These principles guide how organizations must handle personal data, focusing on protecting individuals' privacy rights.
 

When did GDPR become mandatory?

The European Parliament and Council of the European Union adopted the GDPR on 14 April 2016, to become effective on 25 May 2018. As an EU regulation (instead of a directive), the GDPR has direct legal effect and does not require transposition into national law.

What happens if you are not GDPR compliant?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.