The GDPR applies to organizations that are engaged in professional or commercial activity and collect or process personal data in order to:
(i) order goods or services (irrespective of whether payment is required)
(ii) monitor the behaviour of data subjects, as far as that behavior takes place in the EU
GDPR knows two types of organizations:
(1) Controllers: these are natural or legal persons, public authorities, agencies or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data
(2) Processors: natural or legal persons, public authorities, agencies or other bodies which process personal data on behalf of a controller
Data subjects (DS) can excercize their rights in their relationship to controllers. Processors have to meet fewer GDPR-obligations than Controllers: they do not need to be able to respond to Data Subject Requests (DSRs), but they do need to have technical measures in place to ensure that their processing-activity is GDPR compliant. They may not process the personal data in any way that goes beyond what is laid down in the contract with the controller and they may not engage another processor without authorisation of the controller. They also have to comply with certain obligations in the case of a data breach.