The GDPR applies to:
– a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
– a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise (SME) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you, for example the appointment of a Data Protection Officer (DPO). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities. Provided your company does not specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.