The GDPR applies:
- To all processing that takes place on behalf of data controllers or processors that are established in the EU – irrespective of whether the actual processing takes place within the EU;
- To the processing of EU residents’ data irrespective of whether the data controllers or processors are within or outside the EU – if the processing activities are related to the offering of goods and services to data subjects in the EU, or the monitoring of the behaviour of data subjects within the EU; and
- Where member state law applies by virtue of public international law.
