Who Does GDPR Apply To? (Australian Businesses)

If you run an Australian business, it’s easy to assume the General Data Protection Regulation (GDPR) is “a European thing” that doesn’t affect you.

But if you sell to customers overseas, run online marketing campaigns, offer a SaaS product, or use tools that track user behaviour, GDPR can become relevant more often than people expect.

This guide answers a common question from founders and small business owners: who does GDPR apply to, and what you should do if it applies to your business (even partly).

We’ll keep things practical, avoid heavy legal jargon, and focus on what matters for Australian startups: where GDPR can bite, what the main obligations look like, and how GDPR overlaps with Australia’s own privacy compliance.

This article is general information only and isn’t legal advice. Whether GDPR applies depends on your specific facts (including whether you’re targeting or monitoring people in the EU).

What Is GDPR (And Why Does It Matter In Australia)?

GDPR is the European Union’s privacy law. It sets rules for how organisations collect, use, store and share personal data (information that can identify an individual).

GDPR matters in Australia because it can apply extraterritorially - meaning it can apply to businesses outside the EU if their activities have a sufficient connection to people in the EU.

For Australian businesses, GDPR usually becomes relevant when you:

• sell goods or services to customers in the EU (even if you have no offices there);
• market to people in the EU (including targeted ads); or
• track or profile people in the EU (for example, via analytics, cookies, or behavioural advertising).

GDPR doesn’t replace your Australian obligations. If you handle personal information in Australia, you may still need to comply with Australian privacy rules and have appropriate policies in place - including a Privacy Policy if you collect personal information online.

Who Does GDPR Apply To? The Core Test (In Plain English)

When business owners ask who does GDPR apply to, the short answer is: GDPR applies to certain organisations that process personal data where there is a meaningful EU connection.

In practical terms, GDPR can apply to you if:

• you are established in the EU (for example, you have an office, branch, or stable operations there); or
• you are outside the EU but target people in the EU (offering goods/services) or monitor their behaviour.

Most Australian small businesses won’t be “established in the EU”. The more common risk area is the second limb: offering goods or services to people in the EU or monitoring people in the EU.

GDPR Applies If You “Offer Goods Or Services” To People In The EU

You don’t need to be charging in euros or physically shipping to Europe for GDPR to become relevant. What matters is whether your business is directing goods or services to people in the EU.

Signs you may be offering to EU individuals include:

• your website or onboarding flow specifically targets EU countries (for example, “Now available in Germany and France”);
• you run EU-targeted paid ads, SEO campaigns, or social campaigns;
• you provide EU shipping options, EU-specific pricing, or EU languages; or
• you have EU customers and actively serve them as part of your business model.

If your SaaS product has EU customers (even a handful), it’s worth taking GDPR seriously - especially as you scale, raise funds, or enter enterprise procurement processes where GDPR compliance is a standard checkbox.

GDPR Applies If You “Monitor Behaviour” Of People In The EU

GDPR can also apply where you monitor people in the EU. This is where many online businesses get caught out, because “monitoring” can include common practices like:

• cookie-based tracking for analytics;
• behavioural advertising and retargeting;
• profiling users to predict preferences or buying behaviour; and
• tracking across devices or sessions to build user profiles.

This doesn’t mean every website with an analytics tool automatically must comply with GDPR. The key question is whether you are monitoring behaviour of people in the EU in a way that relates to them as identifiable individuals, and whether your activities show an intention to target EU users.

As a practical risk-management approach, if your business is actively seeking EU users (or you have a meaningful EU user base), you should assume GDPR might apply and build your privacy compliance accordingly.

Does GDPR Apply To Australian Businesses With A Website Or Online Store?

Sometimes yes - but not always.

Having a website that can be accessed from Europe does not, on its own, mean GDPR applies. The GDPR focus is on targeting or monitoring individuals in the EU, not simple global availability.

That said, many Australian businesses do more than just “have a website”. You might:

• sell subscriptions online;
• collect email addresses through lead forms;
• run remarketing ads;
• use heatmaps, session recordings, or advanced analytics tools; or
• ship products internationally.

These activities can increase the chance GDPR applies - particularly if you’re attracting EU customers or intentionally marketing to them.

A Quick Practical Checklist: Are You Likely In GDPR Territory?

You may be within GDPR scope if you can answer “yes” to any of the following:

• Do you have customers based in the EU (B2C or B2B) and you actively service them?
• Do you run advertising campaigns targeting EU locations or EU audiences?
• Do you offer EU shipping or EU pricing as a standard option?
• Do you track user behaviour and you have a meaningful EU user base (or EU-targeted tracking/ads)?
• Do enterprise customers ask you GDPR questions as part of vendor onboarding?

If you’re not sure, it’s often worth doing a quick privacy “health check” now, rather than scrambling later when a customer or investor asks for proof of compliance.

What Counts As “Personal Data” Under GDPR (And What Australian Startups Commonly Collect)

GDPR is triggered by “personal data”, which is broadly any information relating to an identified or identifiable individual.

For startups and small businesses, personal data commonly includes:

• names, email addresses and phone numbers;
• billing addresses and shipping addresses;
• IP addresses and device identifiers (often captured through analytics and logs);
• account login details;
• customer support messages and tickets; and
• usage data linked to a user profile.

It’s also important to understand that GDPR has extra sensitivity around certain categories of data (often called “special category data”), like health information, biometric data, or data revealing political opinions. If your business touches these areas, you’ll want tailored advice early.

Even if you’re mainly operating in Australia, having clear privacy practices is good business hygiene. Many businesses start by putting proper customer-facing documents in place, such as a Privacy Policy, to clearly explain what you collect and why.

What Are Your Main Obligations If GDPR Applies To You?

GDPR compliance can get detailed quickly, but most small businesses benefit from understanding the core building blocks first. If GDPR applies to you, your obligations often include the following.

1. You Need A Lawful Basis To Process Personal Data

Under GDPR, you generally need a lawful reason to collect and use personal data. Common lawful bases include:

• Consent (for example, marketing opt-ins);
• Contract necessity (processing needed to provide the service the customer signed up for);
• Legal obligation (for example, recordkeeping requirements); and
• Legitimate interests (only where your interests aren’t overridden by the individual’s rights).

In plain terms, GDPR expects you to be able to explain “why are we collecting this, and what gives us the right to use it?”

2. You Need To Be Transparent About What You’re Doing

GDPR expects clear communication about your data practices. This is typically handled through privacy notices and policies, and by ensuring your website and onboarding flows don’t hide the ball.

For many Australian businesses, this overlaps with the practical need to have a clear Privacy Policy and (where relevant) website terms that set expectations about how your platform is used.

3. Individuals Have Specific Rights

GDPR gives individuals rights around their personal data, such as:

• access to their data;
• correction of inaccurate data;
• deletion in certain circumstances (often called the “right to be forgotten”);
• data portability (in some cases); and
• the right to object to certain processing.

The practical takeaway is that you need internal processes to respond to requests in a timely way, and to verify identity so you don’t accidentally hand data to the wrong person.

4. You Need Appropriate Data Security

GDPR requires you to protect personal data with appropriate technical and organisational measures. What’s “appropriate” depends on your size, the sensitivity of the data, and the risk level.

For startups, this often means thinking carefully about:

• access controls and permissions (who can see what);
• security practices for employees and contractors;
• vendor risk (what your software providers do with data); and
• incident response (what happens if you have a breach).

5. You May Need GDPR-Compliant Contracts With Vendors

Many startups rely on third-party tools (hosting, CRM, email marketing platforms, customer support tools). If those vendors process personal data for you, GDPR may require specific contractual protections.

You may also need to consider how privacy responsibilities are allocated internally (for example, between your business and service providers, and within your team) so it’s clear who handles requests, incidents and compliance tasks.

GDPR Vs Australian Privacy Law: Do You Need Both?

In many cases, yes - because GDPR and Australian privacy law can apply at the same time.

Australian privacy compliance usually centres around the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Whether you fall under the Privacy Act depends on factors like your annual turnover and what kind of data you handle.

But even if you’re not strictly covered by the Privacy Act (for example, you’re a small business under a turnover threshold), you might still choose to adopt privacy best practices because:

• customers expect it (especially in tech and ecommerce);
• enterprise clients often require it as part of procurement;
• it reduces reputational risk; and
• it makes expansion easier if you later enter regulated markets.

Also, GDPR compliance can indirectly help you lift your overall privacy posture. If you design your data handling practices to a higher standard, you often reduce risk across the board.

As part of a strong compliance foundation, it’s common for businesses to align their customer-facing terms and policies. For example, if you sell online, having clear e-commerce terms and conditions can help set expectations around orders, refunds, delivery, and account rules (which often connect back to how you communicate data practices too).

What Legal Documents And Practical Steps Should You Put In Place?

If GDPR might apply to your business, you don’t need to panic - but you do want to be deliberate. The goal is to build a privacy and data compliance baseline that matches your business model, your customer base, and your growth plans.

Here are common documents and steps that are often relevant for Australian businesses operating online or selling globally.

Key Documents To Consider

• Privacy Policy: sets out what personal information you collect, how you use it, who you share it with, and how people can contact you about privacy issues. A tailored Privacy Policy is a strong starting point for most businesses.
• Website Terms: clarifies rules for using your website or platform (accounts, acceptable use, disclaimers, IP ownership, and limitations). Many businesses use Website Terms and Conditions to reduce disputes and set clear expectations.
• Ecommerce Terms: if you sell products or subscriptions online, you’ll usually want tailored e-commerce terms and conditions that reflect your fulfilment model and customer journey.
• Employment Contracts And Policies: if you have staff handling personal data (customer support, marketing, sales), your internal documents matter too - including an Employment Contract and training around confidentiality and security practices.
• Data Breach Response Plan: helps you respond quickly and consistently if something goes wrong (who investigates, who communicates, and what steps are taken). For some businesses, a data breach response plan is essential for operational readiness.

Practical Steps That Make A Big Difference

Even before you get into the finer details of GDPR compliance, these practical actions often deliver the biggest risk reduction:

• Map your data: identify what personal data you collect, where it is stored, and who has access.
• Minimise collection: only collect what you genuinely need for your business operations.
• Review your marketing opt-ins: especially where you have EU subscribers or EU-facing campaigns.
• Check your vendor list: understand which software providers process personal data on your behalf.
• Put a process in place for privacy requests: so you can respond efficiently if someone asks for access or deletion.

If you’re building a product that you expect to scale internationally, it’s worth setting up privacy compliance early. It’s much easier to build good systems from day one than to retrofit them after you’ve accumulated years of data, multiple tools, and legacy processes.

Key Takeaways

• Who does GDPR apply to? It can apply to Australian businesses if they offer goods or services to people in the EU, or monitor the behaviour of people in the EU.
• Having a website that can be viewed in Europe doesn’t automatically trigger GDPR - the key is whether you’re targeting EU users or monitoring EU individuals’ behaviour.
• GDPR focuses on personal data and transparency - you need to understand what you collect, why you collect it, and how you protect it.
• Many businesses may need to comply with GDPR and Australian privacy requirements at the same time, especially if they operate online or scale internationally.
• Practical foundations like a Privacy Policy, clear website/ecommerce terms, internal processes, and a breach response plan can significantly reduce risk and help you scale with confidence.

If you’d like help with GDPR and privacy compliance for your business, contact Sprintlaw at 1800 730 617 or team@sprintlaw.com.au.