GDPR compliance for US companies
GDPR applies to US companies that process personal data of EU residents. Learn the key obligations, transfer mechanisms, and compliance steps for US businesses operating in or selling to the EU.
Direct answer
GDPR applies to any US company that offers goods or services to EU residents, or monitors their behaviour — regardless of where the company is based. US companies must establish a lawful basis for each processing activity, appoint an EU representative in many cases, use valid data transfer mechanisms (SCCs, Binding Corporate Rules, or EU-US Data Privacy Framework), and handle data subject rights on the same timelines as EU-based companies. The fine regime applies to non-EU companies just as it does to EU ones.
Does GDPR apply to US companies, and what do they need to do?
GDPR applies to any US company that offers goods or services to EU residents, or monitors their behaviour — regardless of where the company is based. US companies must establish a lawful basis for each processing activity, appoint an EU representative in many cases, use valid data transfer mechanisms (SCCs, Binding Corporate Rules, or EU-US Data Privacy Framework), and handle data subject rights on the same timelines as EU-based companies. The fine regime applies to non-EU companies just as it does to EU ones.
- Confirm territorial scope
- Appoint an EU Representative
- Establish valid transfer mechanisms
- Map all EU personal data processing
- Prepare data subject rights workflows
| Extraterritorial scope | Article 3(2) — applies based on where data subjects are, not where the company is |
| Maximum fine | €20M or 4% of global annual turnover |
| Transfer mechanism required | Standard Contractual Clauses, BCRs, or EU-US Data Privacy Framework |
GDPR applies to any US company that offers goods or services to EU residents, or monitors their behaviour — regardless of where the company is based. US companies must establish a lawful basis for each processing activity, appoint an EU representative in many cases, use valid data transfer mechanisms (SCCs, Binding Corporate Rules, or EU-US Data Privacy Framework), and handle data subject rights on the same timelines as EU-based companies. The fine regime applies to non-EU companies just as it does to EU ones.
Non-EU companies without an EU establishment and that process EU resident data must appoint an EU Representative under Article 27.
GDPR compliance for US companies checklist
Action checklistDetermine whether your business offers services to EU residents or tracks their behaviour — either triggers GDPR.
Article 3
Required unless you have a physical EU establishment, process only occasionally, and pose no high risk.
Article 27
US-to-EU or EU-to-US data flows require SCCs, BCRs, or EU-US Data Privacy Framework certification.
Chapter V
List purposes, categories, recipients, and processors for all EU resident data.
Article 30
US companies must respond to access, erasure, and portability requests from EU residents on GDPR timelines.
Articles 12–23
Key deadlines
| Date | Requirement | Source |
|---|---|---|
| Ongoing | EU Representative appointmentNon-EU companies without an EU establishment and that process EU resident data must appoint an EU Representative under Article 27. | European Commission GDPR SME guidance |
| 72 hours | Personal data breach notificationNotify the lead EU supervisory authority within 72 hours of becoming aware of a breach where required. | European Commission GDPR SME guidance |
30/60/90-day action plan
First 30 days
Confirm scope and assign an owner
Evidence needed: Applicability note, business owner, systems or product list, and source links.
GDPR (US companies)
Days 31-60
Close the evidence gaps
Evidence needed: Policies, supplier records, data maps, technical notes, training records, or process owners.
GDPR (US companies)
Days 61-90
Prepare for audit or customer review
Evidence needed: Versioned compliance file, action log, exception register, and next review date.
GDPR (US companies)
Evidence to retain
Applicability decision
Shows whether GDPR compliance for US companies applies and why the SME made that decision.
Retain: Scope memo, trigger criteria, country notes, owner approval, and review date.
Action owner list
Regulators and enterprise customers expect named accountability, not generic intent.
Retain: Owner, backup owner, due date, status, and unresolved blocker notes.
Evidence folder
The fastest way to answer customer due diligence is a single audit-ready evidence file.
Retain: Policies, screenshots, registers, exports, supplier responses, and training records.
SME questions answered
Does GDPR apply to US companies with no EU office?
Yes. GDPR applies to any company outside the EU that targets or monitors EU residents, regardless of physical presence. The territorial scope in Article 3(2) is intentionally extraterritorial.
What is the EU Representative requirement?
Non-EU companies subject to GDPR must designate a representative in an EU member state who can receive communications from supervisory authorities on the company's behalf. Exceptions apply for occasional, low-risk processing.
Are US companies covered by the EU-US Data Privacy Framework?
Only if they self-certify with the US Department of Commerce. DPF provides a GDPR-compatible transfer mechanism for certified US companies, but requires annual recertification and compliance with DPF principles.
Can EU regulators fine a US company?
Yes. The GDPR fine regime applies regardless of company location. Enforcement is via the lead EU supervisory authority in the member state where the main EU Representative is based, or where the data subjects are located.
Turn this guide into a tracked action plan
Start with the Regulation Checker, save the result, and import the action plan into your EuroComply dashboard when you are ready to assign owners.
Informational only. This page is not legal advice and does not replace a qualified legal review of your business, systems, products or employment practices.