If you carry out processing activities with personal data partly or wholly by automated means, or if you otherwise deal with personal data which form (or are intended to form) part of a filing system, and you carry out these processing activities in the context of an establishment of your business within the European Economic Area (EEA), you, as data controller, are subject to the General Data Protection Regulation (GDPR) regardless of whether the processing takes place in the EEA or not.

You might also be subject to the GDPR even if you do not have an establishment within the EEA, if you carry out targeting activities of data subjects who are within the EEA. Targeting activities comprise of the offering of goods or services to data subjects (irrespective of whether a payment of the data subject is required) or the monitoring of their behaviour. For example, a business established in Northern Ireland only and providing cross-border services to job seekers may be offering services to job seekers in the Republic and may therefore be subject to the GDPR.