Introduction

Since then, GDPR compliance GDPR become an essential issue for both public and private entities. However, one question keeps coming up: who is affected by the GDPR Many still believe that only large companies are targeted. In reality, all companies, as well as associations and public bodies, may be affected if they process personal data.

The General Data Protection Regulation (GDPR), which came into force in May 2018, has profoundly changed the legal framework applicable to personal data protection in Europe. Adopted to harmonize rules within the European Union and strengthen personal data protection requirements in the face of increasing digitization of activities, it aims to make organizations that collect and use data more accountable.

In reality, the scope of GDPR much broader. Any organization that processes personal data, whether it be clients, employees, prospects, or members, may be affected, regardless of its size, revenue, or industry.

Understanding whether your company or organization is affected by the GDPR therefore the first essential step in assessing your obligations and implementing appropriate compliance measures.

1. GDPR compliance only GDPR large companies?

No. The GDPR only apply to large companies or international groups.

The main criterion is not the size of the organization, but the fact that it processes personal data. In other words, in order to understand who is affected by the GDPR, it is essential to understand what personal data is.

What is personal data?

Personal data refers to any information that can be used to identify, directly or indirectly, a natural person. This may include a first name, last name, email address, phone number, IP address, social security number, photograph, or information about their place of residence.

Even a set of combined data can be used to identify a person and therefore constitute personal data within the meaning of GDPR.

Therefore, as soon as an organization collects, records, stores, or uses this type of information, it falls within the scope of the GDPR, even if it only has a few employees or a limited number of clients.

In other words, a VSB, a freelancer, or an association that collects personal data is subject to the GDPR, just like a large corporation.

2. Who monitors compliance with GDPR France?

In France, compliance with GDPR monitored by the Commission nationale de l’informatique et des libertés (CNIL (National Commission for Information Technology and Civil Liberties)), the independent administrative authority responsible for ensuring the protection of personal data.

The CNIL (National Commission for Information Technology and Civil Liberties)assists organizations in achieving compliance, publishes recommendations, and monitors legal developments. It also has the power to conduct inspections and impose penalties.

The role of the CNIL (National Commission for Information Technology and Civil Liberties)

In particular, it may carry out on-site or online checks, consult internal documents, and verify any data processing operations carried out by the organization.

Therefore, any organization affected by GDPR compliance GDPR be able to demonstrate its compliance in the event of an audit.

3. What is the territorial scope of application of GDPR

The GDPR apply solely on the basis of a company's location. Its territorial scope is based on two main criteria: the place of establishment and the location of the data subjects.

Can a company located outside the European Union be subject to data protection?

Yes. A company established outside the European Union (for example, in the United States, Canada, or Australia) is subject to GDPR it:

• Offers goods or services to persons located in the European Union;
• Or tracks the behavior of people located in the EU.

What matters, therefore, is not the nationality of the company, but the fact that it targets or analyzes individuals located within European territory.

Example: An American company that sells products in France, displays its prices in euros, and delivers to Europe must comply with the GDPR the data of its clients .

Similarly, an American company using tracking tools to analyze the behavior of internet users located in Germany or Spain falls within the scope of the GDPR.

In some cases, these companies must also appoint a representative within the European Union.

Is a French company subject to GDPR it processes personal data belonging to clients outside the European Union?

Yes. When a company is established in a European Union member state, the GDPR to all of its data processing activities, even if the data subjects are located outside the EU.

In other words, a French company that processes data from clients , American, or Asian clients remains subject to GDPR long as the processing is carried out as part of its activities in France.

This criterion is based on the location of the data controller's establishment, not on the nationality of clients

Who is affected by the GDPR Key points to remember

The GDPR individuals located in the European Union and applies:

• To companies established in the EU, for all their processing operations;
• To companies located outside the EU that target or track individuals in the EU.

The territorial scope of GDPR therefore deliberately broad in order to ensure a high level of personal data protection.

4. Are there any exceptions to the application of GDPR

Yes, but they are limited.

The GDPR apply to data processing carried out in the context of strictly personal or domestic activities. This is referred to as the "domestic exception."

This means that the regulation does not apply to activities carried out by a natural person for exclusively private use, without any connection to a professional or commercial activity.

Examples of activities not subject to GDPR

• A personal address book
• Managing contacts within a family or social circle
• Sending invitations to a private event
• Storage of photos for strictly personal use

In these cases, there is no obligation under the GDPR, as the activity does not fall within a professional or institutional framework.

5. GDPR the GDPR to the B2B sector?

Yes. The GDPR also GDPR in the B2B (business-to-business) sector.

A common misconception is that the GDPR applies to consumer relationships (B2C). However, the regulation protects individuals, not companies as such.

In other words, as soon as data can be used to identify a natural person, even in a professional context, it is considered personal data within the meaning of GDPR.

Professional data is often personal data.

In the B2B sector, companies handle personal data on a daily basis, such as:

• A professional email address with your name (e.g prenom.nom@entreprise.fr)
• A direct phone number
• An email signature containing a name and job title
• Contact details stored in a CRM system
• LinkedIn profiles used for prospecting purposes

Even if this data is used in a professional context, it can be used to identify a natural person. It therefore falls fully within the scope of the GDPR.

However, a generic address such as contact@entreprise.fr or info@societe.com, which does not identify a specific person, is not in itself personal data.

In practice, the GDPR omnipresent in B2B.

Sales prospecting, partner management, suppliers, processors, contractual exchanges... The processing of personal data is omnipresent in inter-company relations.

Thus, a company operating exclusively in B2B remains subject to the GDPR it processes identifying data relating to natural persons.

6. How do I know if my organization is affected by the GDPR

Once you understand that the GDPR individuals, including in a professional context (B2B), the question to ask becomes simple:

Do I collect, use, store, or transmit information that could identify a natural person?

If the answer is yes, whether they are clients, prospects, employees, partners, suppliers, or professional contacts, then your organization is affected by the GDPR.

It doesn't matter:

• Your revenue
• The number of employees
• Whether you work in B2B or B2C
• Or whether your business is small-scale

What triggers the application of GDPR is the existence of personal data processing.

In practice, as soon as you have a client file, a prospecting tool, or a CRM system,

• From a database of professional contacts
• From a website with a form

You fall within the scope of the GDPR.

7. What are the GDPR obligations for the organizations concerned?

Being affected by the GDPR just mean "being aware" of the regulation. It involves implementing concrete measures to regulate the processing of personal data.

The following are the main obligations applicable to organizations:

Keep a record of processing activities

You must identify all data processing activities carried out within your organization: clients management, sales prospecting, employee management, recruitment, supplier management, etc.

This register allows you to map the data collected, its Purpose, its Data retention period Data retention the data security measures put in place, etc.

Inform the persons concerned

Anyone whose data you collect must be informed in a clear and transparent manner:

• Why is this data collected?
• On what legal basis?
• How long will they be kept?
• To whom can they be transmitted?
• What are his rights?
• etc.

This includes having an up-to-date privacy policy and information notices on your forms.

Respecting people's rights

Individuals have several rights:

• Right to access and copy their data
• Right of rectification
• Right to erasure
• Right to object
• Right to portability

Your organization must be able to respond to these requests within the legal time limits.

Implement appropriate safety measures

The GDPR data to be protected against:

• Unauthorized access
• The loss
• The destruction
• Accidental disclosure

This may involve secure passwords, access control, data encryption, regular backups, staff awareness, etc. The level of security must be proportionate to the risks.

Overseeing relationships with processors

If you work with service providers (hosting providers, SaaS software, accountants, marketing agencies, etc.), you must ensure that they also comply with the GDPR.

This involves signing a specific contract in accordance with Article 28 of GDPR known as a DPA – Data Processing Agreement).

Document and demonstrate compliance

The GDPR on the principle of accountability: you must be able to prove your compliance.

In practical terms, this means documenting your practices as thoroughly as possible in order to demonstrate that you have taken the necessary steps to reduce the risk of non-compliance with GDPR drafting internal policies, providing evidence of training and awareness-raising among your teams regarding GDPR, etc.).

These obligations may be subject to monitoring by the relevant supervisory authority, such as the CNIL (National Commission for Information Technology and Civil Liberties) France.

Conclusion: GDPR everyone

In summary, the GDPR any organization that processes personal data, regardless of its size, status, or country of operation.

Whether you are a small business, an association, a freelancer, or a large corporation, you are likely affected if you collect information about clients, employees, prospects, or partners.

So the real question is not: "Am I affected by the GDPR "

But rather:

“How can I implement compliance measures tailored to my organization?”

However, compliance can quickly become complex: analyzing processing operations, drafting documents, supervising processors, managing requests from data subjects, monitoring legal developments, etc. It is often difficult to structure a compliant and sustainable approach on your own without dedicated expertise.

That's why at Dipeeo, we support organizations every step of the way, with a dedicated lawyer and a collaborative platform, to transform GDPR obligations GDPR concrete, manageable actions.

Would you like to know if your organization is compliant or receive personalized support?
Make an appointment with our experts to assess your situation.