GDPR applies to data controllers (marketing entities), data processors (organizations that process data on behalf of data controllers, for example, cloud service providers), or the data subjects (customers) based in the EU. GDPR also applies to organizations based outside the EU if they collect or process personal data of EU residents.