1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law;
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
The GDPR covers the processing of personal data by automated means. This means the GDPR covers any decision-making without human involvement if it processes personal data. If the processing of personal data is done partly by automated means, then this is also covered by the GDPR.
If personal data form part of a filing system or is intended to be, then this processing is also covered by the GDPR. This is true regardless of whether the processing is done by automated means.
A filing system could be your email inbox since your emails or a paper archive with, e.g., employment contracts.
If a processing activity falls outside the scope of EU law, then the GDPR does not cover this processing of personal data. Processing activities carried out by individuals, and companies will primarily be within EU law.
If the processing of personal data done by an individual (natural person) is personal or regards its household, then it is not covered by the GDPR.
Organisations, companies, government bodies, etc., will process personal data and therefore be covered by the GDPR.
The GDPR covers anyone having employees or freelancers as they process personal data.
The GDPR covers anyone having a website as they process data concerning their visitors.
The GDPR covers anyone having private people as customers as they process their data, e.g. payment information and name.
Learn the basics of GDPR in the course 1-Hour GDPR Introduction: The Basic Facts for Employees.