Who is exempt from GDPR?

Asked by: Nia Bogan  |  Last update: February 11, 2026
Score: 4.3/5 (17 votes)

GDPR exempts activities like purely personal/household use, data processing for national security/law enforcement, fully anonymized data, and certain journalistic/artistic/academic purposes; however, exemptions are narrow, apply case-by-case, and don't fully exempt small businesses, who still have lighter record-keeping rules, while data outside the EU but targeting EU residents is covered, notes General Data Protection Regulation (GDPR) and CookiePal.io.

Who is not subject to the GDPR?

Some of the key exemptions from GDPR compliance include personal or household activities, government agencies and law enforcement, and the processing of personal data by Member States.

Does GDPR apply to US citizens?

Yes, GDPR applies to U.S. citizens when they are physically located in the European Union (EU) or European Economic Area (EEA) and their personal data is being collected or processed, regardless of their citizenship; it protects them as if they were EU residents in that context, covering tourists, students, or business travelers. Its scope is territorial and depends on location, not nationality, meaning a U.S. citizen in the U.S. has no GDPR protection, while an EU resident in the U.S. also doesn't get GDPR protection. 

Which EU member states are exempt from GDPR?

The following European countries have not adopted the GDPR: Albania. Belarus. Bosnia and Herzegovina.

Who is exempt from the data protection fee?

If you do not process personal information at all (or you do but not via a computer or other automated system), you are exempt and will not need to pay the fee. You are exempt if you are only processing personal information for any of the reasons below: Staff administration. Advertising, marketing and public relations.

Who is exempt from GDPR?

25 related questions found

How do I know if I need to pay a data protection fee?

The ICO provides a free self-assessment questionnaire on its website to help determine whether your organisation needs to pay the fee. You can register online on the ICO's website, where you'll be asked to provide information about the data you process, how you manage it, and who has access to it.

Does every company need a data protection officer?

Do we need to appoint a Data Protection Officer? Under the UK GDPR, you must appoint a DPO if: you are a public authority or body (except for courts acting in their judicial capacity); your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or.

Does GDPR apply to everyone?

Yes, individuals can be subject to the GDPR, if their data processing is beyond the scope of “purely personal or household activity” as defined in Article 2 of the GDPR.

Which countries require GDPR compliance?

The EU countries covered by GDPR include:

  • Austria.
  • Belgium.
  • Bulgaria.
  • Croatia.
  • Cyprus.
  • Czech Republic.
  • Denmark.
  • Estonia.

Can EU data be stored in the US?

On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.

What is GDPR called in the USA?

What is the US equivalent of the GDPR? The US equivalent of the GDPR is the CCPA or California Consumer Privacy Act. It was inspired by the GDPR, and both laws protect the personal data of consumers.

Do American companies need to comply with GDPR?

Even if a US company does not have a physical presence in the EU, it will still be subject to the GDPR if it offers goods or services to individuals in the EU or monitors their behaviour. Therefore, US companies that interact with EU residents must ensure GDPR compliance to avoid legal ramifications.

What are the 7 principles of GDPR?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability.

Which countries do not follow GDPR?

List of Non-GDPR European Countries

  • Albania.
  • Belarus.
  • Bosnia and Herzegovina.
  • Kosovo.
  • Moldovia.
  • Montenegro.
  • North Macedonia.
  • Russia.

Are email addresses personal data?

Yes, email addresses are personal data. According to data protection laws such as the GDPR and the CCPA, email addresses are personally identifiable information (PII).

Is GDPR compliance mandatory?

Compliance with the GDPR is mandatory for all in-scope organizations, and due to the sensitive nature of the information it covers, violations can result in corrective action or substantial financial penalties.

Which country has the strictest privacy laws?

Which Country Has the Strictest Data Privacy Laws? The country with the strictest data privacy laws related to the internet is Iceland. Many people have referred to Iceland as Switzerland for data. It has incredibly strict privacy laws, and these laws were passed in 2000.

Does GDPR only apply to EU citizens?

The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”

What are the 6 legal bases of GDPR?

Article 6 of the General Data Protection Regulation (GDPR) sets out what these potential legal bases are, namely: consent; contract; legal obligation; vital interests; public task; or legitimate interests.

Does GDPR apply to small companies?

Yes, GDPR applies to all businesses, no matter their size. Small businesses must comply with GDPR requirements, upholding the 8 rights that people must have over their personal data: The right to be informed. The right of access.

What is GDPR in simple terms?

In simple terms, GDPR (General Data Protection Regulation) is a strict EU law giving people more control over their personal data and requiring companies worldwide to handle it securely, transparently, and fairly, applying to any business that deals with data of EU residents. It emphasizes user rights like accessing, correcting, or deleting their info, mandates data protection by design, and enforces heavy fines for non-compliance. 

Is a DPO legally required?

No, not all organizations are legally required to have a DPO. Only in specific cases (outlined in the GDPR) is a DPO legally required. However, even if not mandatory, you may voluntarily appoint a DPO. In fact, we recommend that you do.

What is the fine for not having a data protection officer?

It is not just in the case of data breaches or violations where you could face fines, you could also face fines if you fail to appoint a data protection officer where required. Under the UK GDPR the fines can be as high as £17.5 million or 4% percent of company's global annual revenue.

Does every organization in Europe need a DPO?

Answer. Your company/organisation needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals.

Who is exempt from paying the data protection fee?

You don't need to pay a fee if you are processing personal data only for one (or more) of the following purposes: Staff administration. Advertising, marketing and public relations. Accounts and records.