The GDPR’s material scope covers the processing of all personal data, which relates to an identified or identifiable person. The territorial scope covers all processing, which was done in the context of the activities of an EU established controller or processor, irrespective of whether the processing itself was done in the Union. When the controller or the processor are located outside of the EU but offers goods or services to, or monitors the behaviour of data subject in the Union, the GDPR is applicable.
In summary, a company must comply with the GDPR if it processes personal data and:
- Has presence in the EU;
- Has no presence in the EU but processes personal data of data subjects located in the EU;
With regards to size, a company should comply with the GDPR if it:
- Has more than 250 employees; or
- Has less than 250 employees, but the processing it does impacts the rights and freedoms of data subjects, is not occasional or includes sensitive data.
With regards to sector, a company should comply with the GDPR:
- Regardless of sector;
- That includes companies manufacturers or legal manufacturers from a multitude of sectors (medical devices, in-vitro diagnostics, cosmetics, machinery, toys, automotive, pressure – just to name a few).