ANSWER

Under Article 3(1) GDPR, its provisions apply to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union.

This means that if an entity (company) has its establishment in the Union — in Poland — and processes personal data of natural persons (regardless of their citizenship — they may be Union citizens or US citizens), it will be treated as a data controller and the GDPR will apply to it. Furthermore, if the entity employs workers in Poland, it will also be treated as a data controller not only in respect of its clients (natural persons) but also its own employees.

According to Recital 14 of the GDPR, the protection afforded by its provisions should apply to natural persons — regardless of their nationality or place of residence — in relation to the processing of their personal data. The Regulation does not apply to the processing of personal data concerning legal persons, in particular undertakings established as legal persons, including the name and legal form of the company and contact details of the legal person. Accordingly, in the situation described, the GDPR will apply — the entity in question will be a data controller within the meaning of Article 4(7) GDPR.