Does GDPR Apply to Your Business? [2026 Guide]
Free applicability checker with statutory citations — covers GDPR scope, obligations, and penalties.
About GDPR
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It entered into force on 25 May 2018 and is widely considered the most comprehensive privacy regulation in the world.
Extraterritorial scope: GDPR does not only apply to organisations established in the EU. Under Article 3(2), it applies to any organisation — regardless of where it is based — that processes personal data of individuals who are in the EU/EEA, where the processing relates to: (a) offering goods or services to those individuals, or (b) monitoring their behaviour within the EU/EEA.
This means a US company, an Australian startup, or a Canadian SaaS business that has EU customers, runs EU-targeted advertising, or uses analytics tools that track EU website visitors may be subject to GDPR obligations in full.
Key principles: GDPR is built on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability (Art. 5 GDPR). Every processing activity must be grounded in a lawful basis under Art. 6.
Key obligations under GDPR
Frequently asked questions
Does GDPR apply to US companies?
Yes, if a US company offers goods or services to individuals in the EU/EEA, or monitors the behaviour of individuals in the EU/EEA, GDPR applies in full. This includes running EU-targeted ads, having a website accessible to EU visitors, or processing EU customer data. The lawfulness of the processing, data subject rights, and breach notification obligations all apply.
Does GDPR apply to Australian businesses?
Yes. GDPR applies to any organisation globally that processes personal data of EU/EEA individuals in connection with offering goods or services or monitoring behaviour. An Australian business with EU customers, EU website visitors it tracks via cookies, or EU users of its platform is subject to GDPR. Australia has its own Privacy Act 1988 as well, which may apply separately.
Does GDPR apply to Canadian businesses?
Yes. Canadian businesses that serve EU individuals or monitor EU individuals' behaviour online fall within GDPR's extraterritorial scope under Art. 3(2). They are also subject to Canada's own PIPEDA and, if they have Quebec users, Quebec Law 25.
Does GDPR apply to non-profits?
Yes. GDPR applies to non-profit organisations and charities that process personal data of EU individuals. The only difference is that the CCPA does not apply to non-profits — but GDPR makes no such exemption. Legitimate interests (Art. 6(1)(f)) and consent are typically the most relevant lawful bases for non-profits.
Does GDPR apply if I only have a few EU customers?
There is no de minimis threshold in GDPR. If you intentionally offer goods or services to EU individuals (even one customer), or if you monitor EU individuals' behaviour, GDPR applies. However, regulators tend to focus enforcement on organisations with larger-scale EU processing.
What is the GDPR extraterritorial scope?
Art. 3(2) GDPR extends GDPR's reach beyond the EU to any controller or processor established outside the EU that processes personal data of data subjects in the EU in connection with: (a) the offering of goods or services to EU data subjects (regardless of whether payment is required), or (b) the monitoring of their behaviour that takes place within the EU. Art. 27 GDPR requires non-EU controllers and processors subject to GDPR to appoint an EU representative.
Not sure if GDPR applies?
Run the full assessment — covers all major privacy laws with exact statutory citations. Free, no account required.
Start free assessment →Not legal advice — educational information only