Which statement correctly matches GDPR's scope?

• A. It applies only to data processed by private companies.
• B. It applies exclusively within the borders of Germany.
• C. It sets guidelines for the collection and processing of personal information from individuals in the EU.
• D. It relates only to marketing communications.

Answer: (C)

GDPR’s scope centers on protecting the personal data of individuals located in the European Union, and it applies regardless of where the processing takes place. It also reaches outside the EU when a organization outside the union processes EU residents’ data in connection with offering goods or services to them or monitoring their behavior within the EU. So the statement that GDPR sets guidelines for the collection and processing of personal information from individuals in the EU correctly captures its reach. It’s not limited to private companies, nor confined to Germany, and it covers more than just marketing communications. The rules matter for any entity that handles EU residents’ personal data, with potential extra-territorial application.