Art. 2 GDPR -  Material scope

1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. […]

What does that mean? 

The GDPR applies to any processing of personal data: 

• Electronic data processing using computers or other digital devices
  
• Paper filing systems, such as file folders, index cards or address books

The GDPR defines a filing system as "any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis" (GDPR Art. 4 (6)).

Art. 3 GDPR -  Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to
   1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or;
   2. the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. [...]

What does that mean? 

The GDPR applies to all processing of personal data as long as this processing takes place in the European Union (GDPR Art. 3 (1)). However, it also applies to all organisations and companies that offer goods or services in the Union or process data of persons from the European Union (GDPR Art. 3 (2)).

Example