EuroComply
Sign up

GDPR for Non-EU Companies

GDPR applies to organisations established outside the EU whenever they offer goods or services to people in the EU, or monitor the behaviour of people in the EU. Article 27 requires most non-EU controllers to designate, in writing, a representative established in the Union — a frequently overlooked obligation.

Does GDPR apply to non-eu companies?

Yes — Article 3(2) extends GDPR to controllers and processors established outside the EU when they offer goods or services to data subjects in the Union, or monitor the behaviour of data subjects in the Union.

  • Designate an EU representative under Article 27 unless the processing is occasional and excludes large-scale special-category data
  • Identify the lead supervisory authority based on where the EU representative is established
  • Map cross-border transfers — the GDPR's territorial reach (Article 3(2)) does not eliminate Chapter V transfer rules for outbound flows
  • Plan for the 'targeting' test: pricing in euros, .eu/.de/.fr ccTLDs, EU-language sites, and shipping to the EU all evidence intent to offer services
Source: Regulation (EU) 2016/679 — EUR-LexReviewed:

Who does GDPR apply to?

GDPR applies to any organisation — public or private, EU-based or not — that processes the personal data of individuals located in the EU, either by offering them goods or services or by monitoring their behaviour.

  • Controllers and processors established in the EU, irrespective of where the processing occurs
  • Non-EU controllers and processors offering goods or services to people in the EU
  • Non-EU controllers and processors monitoring the behaviour of people in the EU
  • All sectors — there is no industry carve-out
Source: Regulation (EU) 2016/679 — EUR-Lex — Article 3 (Territorial scope)Reviewed:

What are the penalties for GDPR non-compliance?

Two penalty tiers apply. The lower tier covers procedural breaches (records, DPO designation, data-breach notification). The upper tier covers breaches of core data-subject rights and the lawful-basis principles.

Maximum fine€20 million or 4% of global annual turnover, whichever is higher
Source: Regulation (EU) 2016/679 — EUR-Lex — Article 83 (General conditions for imposing administrative fines)Reviewed:

When does GDPR apply?

GDPR has applied in full across all EU member states since 25 May 2018. Subsequent national implementing acts (e.g. Germany's BDSG, France's loi Informatique et Libertés revision) add country-specific rules on top of the regulation itself.

  • 2016-05-24 — Entry into force
  • 2018-05-25 — Direct applicability across all EU member states
Source: Regulation (EU) 2016/679 — EUR-Lex — Article 99 (Entry into force and application)Reviewed:

How to build a GDPR Record of Processing Activities (ROPA)

Article 30 of the GDPR requires controllers and processors with 250+ employees (or processing high-risk or special-category data) to maintain a written record of their processing activities. These are the steps the regulation prescribes.

  1. 1

    Inventory processing activities

    List every distinct purpose for which the organisation processes personal data (HR, marketing, customer support, analytics, etc.).

  2. 2

    Document required fields per activity

    For each activity, record: controller name and contact, processing purposes, categories of data subjects and personal data, recipients, international transfers and safeguards, retention period, and a general description of security measures.

  3. 3

    Identify the lawful basis

    Tag each activity with the Article 6 lawful basis (consent, contract, legal obligation, vital interest, public task, legitimate interest) and — if special-category data — an Article 9 condition.

  4. 4

    Maintain in writing and on request

    Keep the record in writing, including electronic form, and make it available to the supervisory authority on request.

  5. 5

    Review on change

    Update the record whenever processing purposes, recipients, retention periods, or technical measures change materially.

€2.92 billion

Cumulative GDPR fines reported by national Data Protection Authorities since 25 May 2018, according to enforcement trackers compiled from official DPA decisions.

EUR-Lex + national DPA decision registers (publicly aggregated)

Next step — classify

Check whether GDPR applies to your company

Targeted next step for non-eu companies based on GDPR scope.

Check whether GDPR applies to your company

Full GDPR compliance guide for all sectors and personas.

GDPR guide

For informational purposes only. This is not legal advice — consult qualified legal counsel.

Last reviewed: · Editorial policy