ABSTRACT
When dealing with data processing activities, the first question is of course whether the General Data Protection Regulation applies. To answer this question, five concrete steps should be taken. If all five criteria are met, the GDPR applies. If one or more of the criteria are not fulfilled, the GDPR does not apply. These five steps are:
When personal data
are processed,
the EU has regulatory competence,
and no exception applies,
the GDPR applies to the data controller and, where relevant, the data processor
