EuroComply
Konto erstellen

GDPR

Do I need GDPR compliance if my company is not in the EU?

GDPR has extraterritorial reach. Use this 6-question tree to find out whether your non-EU company must comply and what to do next.

Last updated: 1 May 2025

Do Non EU company need to comply with GDPR?

GDPR has extraterritorial reach. Use this 6-question tree to find out whether your non-EU company must comply and what to do next. If yes: GDPR applies — SCCs required before transferring EU data. If not: No cross-border transfers — GDPR still applies, lower complexity. Use the i…

  • Yes path: GDPR applies — SCCs required before transferring EU data
  • No path: No cross-border transfers — GDPR still applies, lower complexity
  • Use the step-by-step decision tree below for your exact situation
Source: EUR-Lex — GDPR (Regulation 2016/679)Reviewed:
Step 1

GDPR · Question 1

Do you offer goods or services to people in the EU — even for free?

Indicators: EU-language website, EU currency pricing, EU-specific content, shipping to EU, or accepting EU sign-ups.

For informational purposes only. Consult qualified legal counsel before making compliance decisions.

Decision tree questions

  1. Do you offer goods or services to people in the EU — even for free?

    Indicators: EU-language website, EU currency pricing, EU-specific content, shipping to EU, or accepting EU sign-ups.

    • Yes: Continue to: Do you monitor the behaviour of EU residents?
    • No: Continue to: Does your company have an office, subsidiary, or any business establishment inside the EU?

  2. Do you monitor the behaviour of EU residents?

    Behaviour monitoring includes: website analytics, retargeting ads, A/B testing on EU users, or tracking user journeys across sessions.

    • Yes: Continue to: Do you have an EU representative appointed in writing?
    • No: Continue to: Do you collect any personal data from EU residents even without actively targeting them?

  3. Do you have an EU representative appointed in writing?

    Non-EU companies subject to GDPR must designate a representative in an EU member state (Art. 27) — unless they are a public authority or process only occasionally with low risk.

    • Yes: Continue to: Do you transfer EU personal data back to your servers or staff outside the EU?
    • No: GDPR applies — appoint an EU representative immediately

  4. Do you transfer EU personal data back to your servers or staff outside the EU?

    Any movement of EU personal data to a country without an EU adequacy decision (e.g. the US) requires Standard Contractual Clauses or Binding Corporate Rules.

    • Yes: Continue to: Have you signed Standard Contractual Clauses (SCCs) with all data importers?
    • No: No cross-border transfers — GDPR still applies, lower complexity

  5. Have you signed Standard Contractual Clauses (SCCs) with all data importers?

    SCCs are the standard mechanism for lawful EU-to-third-country data transfers. The 2021 EU SCCs replaced the old sets.

    • Yes: Good foundation — verify your full GDPR compliance posture
    • No: GDPR applies — SCCs required before transferring EU data

  6. Do you collect any personal data from EU residents even without actively targeting them?

    If EU users organically find your product and sign up, you still process their data — GDPR may apply.

    • Yes: GDPR likely applies — review Art. 3 territorial scope
    • No: GDPR does not apply — no targeting or monitoring of EU residents

  7. Does your company have an office, subsidiary, or any business establishment inside the EU?

    Even a single employee based in the EU can constitute an establishment, triggering GDPR for all processing connected to that establishment's activity.

    • Yes: GDPR applies — EU establishment triggers full compliance
    • No: GDPR does not appear to apply

Related decision trees

SaaS startup with EU usersEcommerce siteDPO requirementDPIA requirementView all trees →