In what regional scope?

The rule applies to entities established in the European Union (EU) that process personal data, either as a data controller or processor, regardless of whether the processing takes place in the EU.

However, it also applies to entities established outside the EU, when they process personal data of EU residents when the processing activities are related to:

• The offer of goods or services to these residents in the EU, whether they are paid for or not.
• The control of the behaviour of these residents in the EU, to the extent that it takes place in the EU.