The General Data Protection Regulation (GDPR) applies to companies all over the world, not just in the EU. In fact, the law might apply to you even if you don't intend to reach European customers.

The GDPR covers organizations in the EU and some other European countries, like the UK. The law also applies to companies outside Europe if they target customers in Europe. And there's an additional rule that has big implications for non-EU companies that use cookies.

This law will provide a brief overview of the GDPR and explore what the law says about companies based outside of Europe. We'll then consider some examples to put the rules in context.


What is the GDPR?

The GDPR is an EU data protection law. It sets rules and principles around how people and organizations use personal data and respect individual privacy.

Before we consider how the GDPR applies, here's a short overview of the law. If you already know about the GDPR's requirements and just want to understand if the law applies to you, you can skip to the next section.

Definitions

Here are some of the GDPR's most important definitions:

  • Personal data: Any information that relates to an identifiable individual. This can cover anything from a person's name to their IP address or cookie data.
  • Processing: Collecting, sharing, deleting, or otherwise using personal data.
  • Data subject: An individual to whom personal data relates. So if you're collecting customers' email addresses, these customers are "data subjects."
  • Data controller: A person or organization who decides how and why to process personal data. If you want to use someone's email address to promote your business, you're a data controller for these purposes.
  • Data processor: A person or organization who processes personal data on behalf of a data controller. If you hire an email marketing agency to promote your business, the agency is a processor.

Data Processing Principles

The GDPR sets six principles for processing personal data:

  1. Lawfulness, fairness, and transparency: You must only process personal data in a fair, legal, and transparent way. You must publish a Privacy Policy to inform people about your data processing.
  2. Purpose limitation: You must only process personal data for specified, explicit, and legitimate purposes.
  3. Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for a specific purpose.
  4. Accuracy: You must ensure personal data is accurate and up to date.
  5. Storage limitation: You must not keep personal data for longer than you need it.
  6. Integrity and confidentiality (security): You must implement appropriate technical and organizational measures to keep personal data secure.
  7. Accountability: Data controllers are responsible for meeting the GDPR's requirements and must be able to demonstrate their compliance.

Under the GDPR, processing personal data is only allowed for one of six reasons, known as "legal bases" (or "lawful bases"):

  1. Consent: The individual has provided a "freely given, specific, informed, and unambiguous indication" that they want to process their personal data, given via a "clear affirmative action."
  2. Contract: You need to process personal data to fulfill your obligations under a contract with the individual, or to enter into a contract at their request.
  3. Legal obligation: You're legally required to process personal data in a particular way.
  4. Vital interests: You need to process personal data to protect someone's life or health.
  5. Public task: You have official authority to process personal data in the public interest.
  6. Legitimate interests: Processing personal data will provide a legitimate benefit to you or a third party, and that benefit outweighs any risks to the individual.

Data Subject Rights

Individuals have eight rights over their personal data under the GDPR. Data controllers are responsible for facilitating these rights.

  1. The right of access: Individuals can access extensive information about how you process their personal data, and can receive a copy of their personal data.
  2. The right to rectification: Individuals can correct personal data that is inaccurate or out of date.
  3. The right to erasure: Individuals can delete their personal data in certain circumstances.
  4. The right to restriction of processing: Individuals can request that you do not process their personal data in specific ways.
  5. The right of data portability: Individuals can request an accessible copy of their personal data so they can transfer it to another controller.
  6. The right to object: Individuals can stop you from processing their personal data.
  7. Rights over automated decision-making: Individuals have the right not to be subject to certain types of decision-making unless there's a human involved.

None of these rights are absolute. There are important exceptions in each case. You can learn more by reading our rights under the GDPR article.

When Does the GDPR Apply?

When Does the GDPR Apply?

The GDPR applies to businesses of any size in every sector, plus public bodies, non-profits, and even individuals.

The GDPR doesn't only apply in the EU. Non-European companies are covered under certain conditions.

The rules around "territorial scope" are set out in Article 3 of the GDPR. Here's Article 3 in full, with some important parts underlined:

EUR-Lex GDPR: Article 3 - Territorial Scope - Updated

Below, we'll break this down so you can see if it applies to your company. But before we do, it's important to note that when the GDPR refers to "the Union" (the EU), this is a shorthand for:

  • All 27 EU countries
  • Iceland, Lichtenstein, and Norway, which are not EU countries but are members of the European Economic Area (EEA)
  • The UK, which has its own version of the GDPR. The law applies in basically the same way as the EU GDPR (for now).

We'll use "Europe" as a shorthand for all these places. But bear in mind that there are some European countries in which the GDPR does not apply, like Switzerland, Ukraine, and Russia.

Established in Europe

The GDPR applies to a controller or processor's "establishment" in Europe.

This means that the GDPR generally applies if:

  • Your company is based in Europe, or
  • Your company is based outside of Europe but has a European presence

There are exceptions, so let's consider this rule in more detail.

If your company is based in Europe, the GDPR generally applies. Also, if you are based outside of Europe and have an "establishment" in Europe, the GDPR applies to that establishment.

An "establishment" might mean a subsidiary, an office, or an EU or UK representative. The definition is context-dependent.

Also, note that the GDPR applies to all processing of personal data done in the context of the activities of a European establishment, regardless of whether the processing takes place in Europe.

So if an EU-based company or office stores customer data on a server in California, the GDPR still applies to that data.

We'll look at some examples below.

Targeting People in Europe

The GDPR applies to companies not established in Europe when they are "offering... goods or services" to people in Europe.

This means that if your company is based outside of Europe but has or wants European customers, you'll need to comply with the GDPR when processing their personal data.

It doesn't matter if you have any office, employees, or other physical presence in Europe.

This rule applies regardless of whether you charge for your products or services. For example, if you offer a subscription or free app to people in Europe, the GDPR applies.

Regulators can look at several factors to assess whether a company targets people in Europe. These factors might include the language of your website, the currency you use to offer your products, or whether you offer delivery to Europe.

Monitoring the Behavior of People in Europe

Even if your company has no European presence and does not want any European customers, you might still have to comply with the GDPR if you are "monitoring the behavior" of people in Europe.

What does "monitoring behavior" mean? There's a brief explanation at Recital 24 of the GDPR:

EUR-Lex GDPR: Recital 24

The GDPR says that monitoring behavior could include tracking people on the internet, and using "personal data processing techniques that consist of profiling (them)," and then taking decisions about them or predicting their preferences, behaviors, or attitudes.

Many targeted advertising campaigns meet this definition of "monitoring." Companies collect data about a person via cookies, combine the data with other information, and then predict whether the person might buy their products.

The European Data Protection Board (EDPB) provides some examples of the types of activities that might constitute the "monitoring" of people's behavior, which include:

  • Behavioral ads
  • Geo-localization activities, in particular for marketing purposes
  • Online tracking via cookies or other tracking techniques
  • Personalized diet and health analytics
  • CCTV
  • Market surveys and other behavioral studies based on individual profiles
  • Monitoring or regular reporting on people's health

Note that this part of the GDPR, unlike the "targeting" provision above, doesn't involve intention. You can monitor the behavior of people in Europe unintentionally and still fall within the GDPR's scope.

Examples of How the GDPR Applies

Examples of How the GDPR Applies

Here are some examples of the three broad ways in which the GDPR applies.

Established in Europe

The GDPR applies to any controller or processor established in Europe.

How can you tell if your company is "established" in Europe? The simplest example is a company based in Europe that has European customers.

But what about a U.S. company that has an office in Europe? Generally speaking, the GDPR applies to that office.

Here's an example from the European Data Protection Board (EDPB), at page 7 of the linked PDF:

EDPB Guidelines on the Territorial Scope of the GDPR: Establishment in the Union example 1

What about a company based in Europe that only targets people outside of Europe? Here's another example from the EDPB, at page 9 of the above-linked PDF:

EDPB Guidelines on the Territorial Scope of the GDPR: Processing personal data carried out in context of activities of an establishment - Example 4

This French company only has customers outside of Europe. But all of the company's data processing activities take place inside Europe. Therefore, the GDPR applies.

Targeting People in Europe

If your company is based outside of Europe, the general rule is that the GDPR applies if you are offering or providing goods or services to people in Europe.

If your company is based in, say, Florida, and does not offer services to people in Europe, you don't need to comply with the GDPR. If you decide to expand into the European market, you will need to comply with the GDPR.

But what if your company is based in Canada and has some customers in Europe? You don't need to comply with the GDPR in respect of your Canadian customers - just those in Europe. Europeans visiting or living in Canada would also generally not be covered.

How about if you only offer services to people in your own country, and one of them uses your services while on vacation in Europe? In these circumstances, you would not normally need to comply with the GDPR.

To illustrate this point, here's another example from the EDPB, at page 15 of the above-linked PDF:

EDPB Guidelines on the Territorial Scope of the GDPR: Data subjects in the Union example 8

There are many examples of regulators using this "targeting" rules to enforce the GDPR against non-European companies.

For example, Discord was fined €800,000 ($860,000) by the French regulator in November 2022, despite not having any European office at the time the investigation began.

Monitoring the Behavior of People in Europe

If you're based outside of Europe and you monitor the behavior of people in Europe, you're covered by the GDPR.

What if your website uses cookies, but you don't have a European office or target European customers?

We explored above how "monitoring" can include behavioral advertising and tracking people using cookies. This implies that if your website or app uses personal data for these activities, it's covered by the GDPR, whether or not you target users in Europe.

This means you should consider how to comply with the GDPR and the EU Cookie Law (ePrivacy Directive) if people in Europe might use your website or app.

Companies based outside Europe and providing services to European businesses can also be covered by this "monitoring" rule.

Here's an example from the EDPB (at page 20 of the above-linked PDF), whereby a U.S.-based retail consultancy provides advice to a French shopping center based on monitoring customers' movements throughout the center. The consultancy would be covered by the GDPR in respect of these activities:

EDPB Guidelines on the Territorial Scope of the GDPR: Monitoring data subjects behavior example 17

This is quite an obscure example, but the principle is clear: Regardless of where the company is based, it's covered by the GDPR because it monitors the behavior of people in Europe.

Summary

The GDPR applies to companies inside and outside of Europe. The law applies in the following ways:

  • To companies that are established in Europe
  • To companies that are not established in Europe but that:

    • Offer goods and services to people in Europe, or
    • Monitor the behavior of people in Europe

If you think you might be covered by the GDPR, it's important to consider how to comply with the law. This might involve creating a GDPR-compliant Privacy Policy, ensuring you can respond to data subject rights requests, and determining whether you have a legal basis for processing.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy