When does the GDPR not apply? 

The General Data Protection Regulation does not apply in five cases:

• Processing carried out in activities not included in the scope of application of European Union law. 
• Processing carried out by the member states within the scope of foreign policy and common security.
• Processing carried out by a person in exclusively personal or domestic activities. 
• Processing carried out by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal sanctions, including protection against threats to public security and the prevention thereof.
• Processing relating to deceased persons