Does the GDPR apply to businesses outside the EU?

When does the GDPR apply to your business?

The GDPR applies to your business if you:

1. Have any kind of “establishment” in the EU
2. Offer goods or services (paid or free) to any person located in the EU, especially when pricing, language, or marketing clearly targets them.
3. Monitoring or profiling any person located in the EU through tools like cookies or targeted advertising.

If the GDPR applies to you, follow our GDPR checklist to make sure you’re compliant.

Does the GDPR only protect EU citizens?

No, the person’s citizenship or residency status is irrelevant to the GDPR. What matters is their physical location being in the EU when you collect or process their personal data.

Rather than protecting it’s own people, the EU provides rules you need to follow when you do business within it’s borders, even if the people you’re interacting with aren’t citizens or residents of an EU nation.

Processing the data of a US citizen while they’re visiting the EU = GDPR applies​

Processing the personal data of an EU citizen while they’re visiting the US = GDPR does not apply​

What does the GDPR define as an “establishment”?

If you have staff or a branch located within the EEA, you have an establishment in the EEA and the GDPR applies to your business.

What counts as offer goods or services to individuals in the EU?

You’re “offering services” to an individual in the EU if you intentionally target them. To be clear, the GDPR doesn’t apply to your website just because it is accessible from the EU. Accessibility from the EU doesn’t trigger GDPR, only clear intent to engage people in the EU will trigger it.

If you’re a small business with a blog that occasionally gets visited by people in the EU, but your target audience is in your local town 10,000km away from the nearest EU nation, you likely don’t need to worry about the GDPR.

However, the GDPR will likely apply if:

• Your website clearly displays EU language options beyond your primary market language
• Your website clearly displays EU pricing or that you accept euros or other EU currencies ​
• You’re running advertising or marketing campaigns directed at EU countries
• You’re providing shipping or delivery services to EU addresses​
• You’re using EU country-specific domain extensions (like .de, .fr) or providing EU phone numbers and addresses​
• Showcasing EU customers or testimonials from EU clients

What counts as monitoring or profiling individuals in the EU?

Monitoring behavior means tracking individuals in any way. Profiling is when this tracking involves analyzing or predicting their personal preferences, behaviors, or attitudes.

It’s reasonable to assume that if you’re investing in digital marketing, you’re monitoring users, because marketers rely on tracking technologies such as cookies, pixels, and similar tools to better understand their users. It is also reasonable for marketers to create audiences or personas, which may count as profiling.

It is worth noting that this kind of tracking activity is not malicious or inherently negative in most cases; it is standard practice for marketers and essential to the role. It simply requires additional considerations regarding GDPR compliance, for example, you might need to create a privacy policy and add a cookie banner to your website.

If you are not managing your own marketing, speak with your agency to ensure they are not intentionally tracking people in the EU. This is straightforward to verify, and if your target audience is outside the EU, tracking those in the EU offers no benefit to your business.

Does GDPR apply if I only process EU data, not collect it?

Yes, without a doubt. The GDPR applies to any personal data collected from people in the EU. It does not matter where that data is transferred or who collected it. If your business does not target people in the EU, but your customers do, and they share the data of EU customers with you, that data is protected by the GDPR.

Processing can take place anywhere in the world. What matters is whether the data subject was in the EU when you collected or processed their information. The location of your servers, your business, or the physical site of processing is irrelevant to the GDPR’s territorial scope. The regulation follows the data subject’s location, not the location of the processing.