The GDPR applies to all economic and social actors offering goods and services on the European Union market as long as their activity deals with personal data relating to EU citizens.
Companies established in the EU
Any company carrying out a business activity open to individuals in the EU is obviously concerned (for example at the level of the customer record in a CRM).
A football club, whose data is not the core business, will still have to respect the GDPR. For example, PSG will need to comply with the data collected from Neymar Jr.
Associations and public organism active in the EU
Associations recognized as being of public interest (Croix-Rouge, Handicap International, Médecins sans Frontière ...) are concerned by the GDPR, as are consumer protection associations (UFC-Que Choisir) or sports associations.
Employment center, the CNED or the CNIL are public organism that are also impacted by the GDPR.
Companies not based in Europe but handling data from EU citizens
An American software publisher (such as Salesforce) that processes data from a company based in Europe will also have to comply with the GDPR.
For example :
- The San Antonio Spurs are concerned by the GDPR since they count the French basketball player Tony Parker in their ranks.
- The producers of the hit series Game of Thrones will also be subject to this regulation if they continue in 2018 to shoot in Europe with extras from the EU.
The companies that make the most of their turnover on the internet are also concerned if they have customers from the EU: Amazon, Facebook, Google, Apple...
If a company (controller) uses a subcontractor (processor), it must ensure that it will be able to comply with the GDPR, regardless of the location of the subcontractor on the planet.
The GDPR is therefore an international scope. Thus, the only companies not concerned by this regulation are companies based outside the EU and which do not deal with any data relating to an European citizen (few companies in the world ...!).