Who Needs to Follow GDPR? (It’s Not Just for EU-Based Businesses!)

When the European Union’s General Data Protection Regulation (GDPR) came into effect in 2018, it fundamentally changed how organizations worldwide handle personal data. Yet one of the most persistent misconceptions is that GDPR only applies to businesses based in the EU.

This couldn’t be further from the truth.

GDPR has a remarkably wide reach that extends far beyond European borders, potentially affecting businesses of all sizes across the globe. If you’re operating under the assumption that GDPR doesn’t apply to your business because you’re not based in the EU, you might be putting yourself at risk of significant penalties.

In this comprehensive guide, we’ll explore exactly who needs to comply with GDPR, with a particular focus on non-EU businesses, and provide practical steps to ensure your compliance.

What is GDPR? Understanding the Basics

The General Data Protection Regulation is a comprehensive privacy law designed to protect the personal data of individuals in the European Union and European Economic Area. It came into effect on May 25, 2018, replacing the previous Data Protection Directive from 1995.

GDPR is built around several core principles:

• Lawfulness, fairness, and transparency in data processing
• Purpose limitation (collecting data for specified, explicit purposes)
• Data minimization (collecting only what’s necessary)
• Accuracy (ensuring data is kept up to date)
• Storage limitation (keeping data only as long as necessary)
• Integrity and confidentiality (ensuring appropriate security)
• Accountability (demonstrating compliance with these principles)

The regulation grants EU residents various rights over their personal data, including the right to access, rectify, erase, restrict processing, data portability, and object to processing.

The Territorial Scope of GDPR (Article 3)

What makes GDPR particularly impactful is its broad territorial scope, outlined in Article 3.

The regulation applies to organizations based on three key principles:

1. Establishment Principle

GDPR applies to the processing of personal data by controllers and processors with an establishment in the EU, regardless of whether the processing takes place in the EU or not.

What counts as an “establishment”? According to EU case law, this can include:

• A branch or subsidiary
• A single employee or agent in the EU
• In some cases, even a regular commercial activity directed at the EU

2. Targeting Principle

Even without an EU establishment, GDPR applies to organizations offering goods or services to individuals in the EU.

This doesn’t necessarily require a financial transaction—free services can also fall under this principle if they’re deliberately targeted at EU residents.

3. Monitoring Principle

Organizations that monitor the behavior of individuals within the EU must comply with GDPR, regardless of the organization’s location.

Monitoring can include:

• Web tracking technologies
• Online behavioral advertising
• Profiling activities
• Wearable technology data collection

Beyond EU Borders: 5 Types of Non-EU Businesses That Must Comply

Based on the principles above, here are five specific types of non-EU businesses that must comply with GDPR:

1. Companies Offering Goods or Services to EU Residents

If your business deliberately targets EU consumers—even if you’re based outside the EU—you need to comply with GDPR.

Signs that you’re targeting EU residents might include:

• Offering your website in EU languages (other than English)
• Using European currencies for pricing
• Referencing EU customers or users in marketing materials
• Having a country-specific domain (e.g., .de, .fr, .it)
• Offering shipping to EU countries

For example, a US-based e-commerce store that ships to France, displays prices in Euros, and has a French language option would need to comply with GDPR.

2. Companies Monitoring EU Residents’ Behavior

If you track, analyze, or predict the behavior of individuals in the EU, GDPR applies to you.

Common examples include:

• Using cookies or similar tracking technologies on your website
• Implementing behavioral advertising or remarketing campaigns
• Conducting user analytics that involves profiling
• Operating apps that collect location data
• Using AI to make predictions about users

3. Companies Processing EU Residents’ Data on Behalf of Other Companies

Service providers or data processors handling EU resident data must follow GDPR requirements, even if they themselves have no direct EU presence or targeted services.

This includes:

• Cloud service providers
• Payment processors
• Marketing agencies
• CRM and customer support providers
• Web hosting companies

4. Companies with EU Employees

If your non-EU business employs staff who are EU residents (including remote workers), you’ll need to comply with GDPR for the processing of their personal data.

This applies to:

• HR data
• Payroll information
• Performance reviews
• Work-related monitoring
• Benefits administration

5. Companies with EU-Based Business Partners or Suppliers

B2B relationships that involve sharing personal data with EU partners, clients, or vendors may require GDPR compliance.

This can include:

• Contact information of business representatives
• Client data shared with EU service providers
• Vendor data where individuals are identifiable

Real-World Examples of Non-EU Companies Subject to GDPR

The territorial reach of GDPR is not merely theoretical—several high-profile cases have demonstrated its practical impact on non-EU companies:

Meta (Facebook)

The Irish Data Protection Commission fined Meta €390 million in January 2023 for its handling of user data. Despite being headquartered in the US, Meta’s Irish subsidiary and its targeting of EU users brought it squarely under GDPR’s jurisdiction.

Google

France’s data protection authority (CNIL) imposed a €50 million fine on Google in 2019 for lack of transparency and valid consent in personalized advertising. This case highlighted that even tech giants must adapt their global operations to meet GDPR standards.

Marriott International

The UK’s Information Commissioner’s Office fined the US-based hotel chain £18.4 million for a data breach affecting millions of guests, including EU residents. This demonstrates how data security failures can lead to significant penalties for non-EU companies.

Determining If Your Business Needs to Comply: A Simple Checklist

To help determine if GDPR applies to your business, ask yourself these questions:

• Do you have any physical presence in the EU (office, employees, representatives)?
• Do you offer goods or services to people in the EU (even for free)?
• Is your website available in any EU languages other than English?
• Do you accept Euros or other EU currencies?
• Do you mention EU customers or markets in your marketing?
• Do you use analytics, tracking cookies, or profiling on visitors from the EU?
• Do you monitor online behavior of people who may be in the EU?
• Do you process personal data on behalf of organizations that target EU residents?
• Do you employ any EU residents, even remotely?
• Do you exchange personal data with EU-based business partners?

If you answered “yes” to any of these questions, GDPR likely applies to your business.

What Counts as “Targeting” EU Residents?

The European Data Protection Board has issued guidance on what constitutes “targeting” EU residents:

1. Intention matters: Deliberate targeting is key—merely having a website accessible in the EU isn’t necessarily targeting.
2. Consider multiple factors: No single factor is determinative, but the combination of elements indicates targeting.
3. Look for specific indications: Examples include local phone numbers, EU domain names, EU-specific marketing campaigns, and testimonials from EU customers.

What Qualifies as “Monitoring Behavior”?

Monitoring behavior typically includes activities like:

• Tracking individuals across websites or apps
• Collecting data on browsing habits
• Location tracking
• Health and fitness monitoring
• Behavioral profiling for advertising
• Risk assessment algorithms

The Consequences of Non-Compliance

GDPR violations can result in significant penalties:

• Administrative fines of up to €20 million or 4% of global annual revenue, whichever is higher
• Remediation requirements that may necessitate costly changes to business practices
• Private lawsuits from affected individuals seeking compensation
• Reputational damage that can affect customer trust and business relationships
• Business limitations such as restrictions on data processing activities

Notable fines on non-EU companies include:

• WhatsApp (US): €225 million for transparency failures
• Amazon (US): €746 million for advertising consent practices
• Clearview AI (US): €20 million for unlawful biometric data collection

Common GDPR Compliance Issues for Non-EU Businesses

Non-EU businesses face several recurring challenges when trying to align their operations with GDPR requirements.

Data Transfers Outside the EU

One of the most challenging aspects of GDPR for non-EU businesses is the restriction on transferring personal data outside the EU. Such transfers are only permitted if:

• The receiving country has been deemed to provide “adequate” protection by the European Commission
• Appropriate safeguards are in place (such as Standard Contractual Clauses)
• Specific derogations apply (such as explicit consent)

The invalidation of the EU-US Privacy Shield in 2020 (in the Schrems II decision) has complicated matters further, requiring companies to implement additional safeguards when transferring data to the US.

Use of Third-Party Tools and Services

Many businesses unknowingly violate GDPR through their use of third-party services. For example, a German court ruled that embedding Google Fonts directly from Google’s servers violates GDPR because it transfers visitors’ IP addresses to Google’s US-based servers without proper legal basis.

Similarly, using analytics tools, marketing platforms, or CRM systems that process data outside the EU can trigger compliance issues if proper safeguards aren’t in place.

Website and Online Analytics Compliance

Website compliance remains problematic for many non-EU businesses, particularly regarding:

• Cookie consent mechanisms
• Privacy policies
• Data subject rights procedures
• Analytics implementation
• Third-party script loading

A quick way to check if your website might be sending data outside the EU is to use our free GDPR compliance checker at Violating GDPR. This tool scans your website for elements that might transfer EU visitor data to non-EU servers.

Practical Steps to Ensure GDPR Compliance

Achieving GDPR compliance isn’t just about understanding the regulation—it requires concrete action and implementation across your organization.

1. Initial Assessment and Data Mapping

Begin by understanding what personal data you collect, where it’s stored, how it’s processed, and with whom it’s shared. This “data mapping” exercise is fundamental to GDPR compliance.

Key questions to answer:

• What personal data do you collect from EU individuals?
• Why do you collect it? (What’s your legal basis?)
• Where is the data stored?
• Who has access to it?
• How long do you keep it?
• Is it transferred outside the EU?

2. Implementing Necessary Policies and Procedures

Based on your assessment, develop or update:

• Privacy policy clearly explaining your data practices
• Cookie policy detailing what cookies you use and why
• Data retention policy establishing how long data is kept
• Data subject rights procedures for handling access requests
• Data breach notification procedures
• Data protection impact assessment process for high-risk processing

3. Technical Measures for Compliance

Implement technical safeguards such as:

• Proper consent management systems for your website
• Data minimization practices in your systems
• Encryption of personal data in transit and at rest
• Access controls restricting who can see personal data
• Privacy by design in new products and services

A good starting point is to run a GDPR compliance check on your website. Our tool at Violating GDPR can help you identify if your site is transferring EU visitors’ data outside of Europe, which could be a violation of GDPR. The tool analyzes elements like embedded videos, scripts, iframes, and images that might send IP addresses to non-EU servers.

4. Vendor and Partner Management

Review all third-party services and ensure they comply with GDPR by:

• Signing data processing agreements with processors
• Verifying their compliance measures
• Checking where they process and store data
• Evaluating alternative EU-based services where necessary

5. Staff Training and Awareness

Ensure that employees understand GDPR principles and their role in maintaining compliance through:

• Regular training sessions
• Clear guidelines and procedures
• Privacy-focused culture
• Accountability mechanisms

Conclusion

GDPR compliance is not limited to EU-based organizations—its reach extends to any business that targets EU residents, monitors their behavior, or processes their data, regardless of where that business is located.

Non-compliance carries significant risks, from hefty fines to reputational damage. However, by understanding the regulation’s requirements and implementing appropriate measures, businesses worldwide can navigate GDPR successfully.

Remember, GDPR compliance is not just about avoiding penalties—it’s about respecting user privacy and building trust with your audience. In today’s data-driven world, demonstrating a commitment to data protection can be a competitive advantage.

Start by checking your website’s GDPR compliance status with our free tool at Violating GDPR, and take proactive steps to address any issues identified. Your EU users—and your business—will thank you for it.

FAQs

If my business is based outside the EU but has a few EU customers who found us organically, does GDPR apply?

It depends on whether you’re “targeting” EU residents. If you don’t specifically market to the EU, don’t offer EU languages or currencies, and these customers found you without any EU-directed activities on your part, you may not be subject to GDPR. However, once you knowingly accept EU customers, it’s prudent to work toward compliance.

Does having an EU citizen who lives outside the EU as a customer trigger GDPR?

No. GDPR protects individuals who are physically in the EU, regardless of their citizenship or residency status. It does not follow EU citizens around the world.

If I block all EU traffic to my website, do I still need to comply with GDPR?

If you effectively block all EU traffic and don’t otherwise target or monitor EU residents, you may not need to comply with GDPR. However, this approach could limit your business growth and may not be practical in all situations.

Can I be fined if my company has no assets or presence in the EU?

While enforcement against companies with no EU presence is more challenging, EU data protection authorities are increasingly cooperating internationally. Additionally, non-compliance could result in restrictions on your ability to do business with EU partners in the future.

Is GDPR compliance a one-time project?

No, GDPR compliance requires ongoing effort. You need to regularly review and update your practices as your business evolves, as you adopt new technologies, and as regulatory guidance develops.