The General Data Protection Regulation (GDPR) applies to all organizations based in the EU that process personal data by automated means. Organizations outside the EU must also comply with the GDPR if they have a branch in the EU or process data of EU citizens.