The data protection regulations apply to fully or partially automated processing of personal data, as well as non-automated processing of personal data contained in a file or intended to be included in a file.
Catalan Data Protection Authority
When do you have the obligation to apply the GDPR?
Consult in which cases you must comply with the General Data Protection Regulation (GDPR), according to the type of data processing you carry out and the territorial scope of the individuals concerned.
The rule applies to entities established in the European Union (EU) that process personal data, either as a data controller or processor, regardless of whether the processing takes place in the EU.
However, it also applies to entities established outside the EU, when they process personal data of EU residents when the processing activities are related to:
- The offer of goods or services to these residents in the EU, whether they are paid for or not.
- The control of the behaviour of these residents in the EU, to the extent that it takes place in the EU.
The General Data Protection Regulation does not apply in five cases:
- Processing carried out in activities not included in the scope of application of European Union law.
- Processing carried out by the member states within the scope of foreign policy and common security.
- Processing carried out by a person in exclusively personal or domestic activities.
- Processing carried out by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal sanctions, including protection against threats to public security and the prevention thereof.
- Processing relating to deceased persons
Highlights
Last update: 15.01.2026