Skip to content
Biscotti CMP
FeaturesPricing๐Ÿ” Cookie Checkโ™ฟ Accessibility๐Ÿ“ฆ DownloadsDocumentationBlog
Login
Homeโ€บBlog

The Extraterritorial Reach of the GDPR: Why Global Companies Must Comply

July 7, 2026 ยท 14 min read

The Extraterritorial Reach of the GDPR: Why Global Companies Must Comply

Quick Answer: The GDPR applies to any organization worldwide that processes personal data of individuals located in the EU, regardless of where that organization is based. A company in California, Singapore, or Brazil with no EU office can still be fully subject to GDPR if it targets or monitors EU residents. Non-compliance can trigger fines of up to โ‚ฌ20 million or 4% of global annual revenue, whichever is higher.


Key Takeaways

  • GDPR's extraterritorial scope is defined by Article 3, which extends compliance obligations to any organization processing EU residents' data, regardless of the organization's location.
  • Two primary triggers apply: offering goods or services to EU residents, or monitoring their behavior within the EU.
  • Fines for violations can reach โ‚ฌ20 million or 4% of global annual turnover, and EU data protection authorities have pursued enforcement actions against non-EU companies. [1][4]
  • Non-EU companies subject to GDPR must typically appoint an EU-based representative as a point of contact for supervisory authorities. [3]
  • International data transfers require approved mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions.
  • GDPR has directly influenced laws like the CCPA, signaling a global shift toward stricter data protection standards. [2]
  • Small businesses outside Europe are not automatically exempt; scale and data type determine whether exemptions apply.
  • Structuring data handling for GDPR compliance globally is often the most practical approach for multinational organizations. [8]

What Does Extraterritorial Reach Mean for GDPR Compliance

The extraterritorial reach of the GDPR means the regulation governs data processing activities that occur outside EU borders when EU residents' personal data is involved. Article 3 of the GDPR explicitly extends its applicability to organizations outside the EU that process personal data of individuals in the EU, ensuring consistent data protection regardless of the organization's location. [6]

This is a deliberate design choice. The EU's position is that the rights of its residents should not diminish simply because a company chooses to incorporate elsewhere. For global companies, this means GDPR compliance is not optional based on geography alone.

What this means in practice:

  • A U.S. e-commerce site selling to French customers must comply.
  • A Canadian SaaS platform tracking the browsing behavior of German users must comply.
  • An Australian analytics firm profiling UK residents must comply.

Does GDPR Apply to Companies Outside the EU

Yes. GDPR applies to companies outside the EU under two distinct conditions established in Article 3(2): when the organization offers goods or services to individuals in the EU (even free services), or when it monitors the behavior of individuals within the EU. [6]

Physical presence in the EU is irrelevant. A company with no EU office, no EU employees, and no EU bank account can still fall squarely within GDPR's scope if it runs a website accessible to EU users and uses tracking cookies or behavioral analytics on them. [1]

Common mistake: Assuming that because a company does not actively market to EU customers, it is exempt. If EU residents can access the service and their data is processed, the compliance question is still live.


Which Countries Are Affected by GDPR Regulations

GDPR applies within the 27 EU member states plus the three EEA countries: Iceland, Liechtenstein, and Norway. Post-Brexit, the UK operates under UK GDPR, a near-identical framework, so companies serving UK residents face parallel obligations.

Beyond geography, the regulation's reach extends globally to any organization that processes EU/EEA residents' data. This means companies in the United States, India, China, Brazil, Australia, and every other jurisdiction are potentially subject to GDPR obligations when handling EU personal data. [4]


How Does GDPR Apply to US Companies Handling EU Data

U.S. companies that collect, process, or monitor the personal data of individuals located in the EU are subject to GDPR, including businesses with no physical presence in the EU that engage with EU residents through online platforms. [4]

For U.S. companies, the practical compliance requirements include:

  • Appointing an EU representative (unless a narrow exemption applies) to serve as the contact point for EU supervisory authorities and data subjects. [3]
  • Establishing a lawful basis for processing EU personal data (consent, legitimate interest, contract, etc.).
  • Implementing data subject rights processes, including handling Data Subject Access Requests (DSARs) within the required timeframe.
  • Using approved transfer mechanisms for moving EU personal data to U.S. servers, such as Standard Contractual Clauses (SCCs).

The Schrems II ruling reinforced that U.S. companies must assess foreign surveillance laws and ensure adequate protection for EU personal data transferred internationally. [7]


What Triggers GDPR Compliance for Global Businesses

Two behavioral triggers determine whether a non-EU organization must comply with GDPR. First, offering goods or services to EU residents, even at no cost. Second, monitoring the behavior of individuals within the EU, which includes tracking cookies, behavioral profiling, and location-based analytics. [6]

Decision rule: If your organization does any of the following, GDPR compliance is required:

  • Accepts orders or registrations from EU-based users
  • Displays prices in euros or references EU-specific promotions
  • Uses analytics tools that track user behavior across EU IP addresses
  • Runs retargeting campaigns targeting EU audiences
  • Processes employee data for EU-based staff

GDPR vs CCPA: Which One Applies to Your Company

Both GDPR and CCPA may apply simultaneously to the same company. GDPR applies based on where data subjects are located (EU/EEA residents). CCPA applies based on where consumers are located (California residents) and whether the business meets specific revenue or data volume thresholds.

Criterion GDPR CCPA
Geographic scope EU/EEA residents globally California residents
Business size threshold None (scale affects risk) Revenue or data volume
Max fine โ‚ฌ20M or 4% global revenue Up to $7,500 per intentional violation
Consent model Opt-in (generally) Opt-out (generally)
Enforcement body National DPAs California AG / CPPA

GDPR has inspired similar data protection laws worldwide, including the CCPA, indicating a global shift toward stringent data protection standards. [2] A company serving both EU and California residents must satisfy both frameworks, which often means building to the stricter standard (GDPR) and applying it broadly.


Can a Company Ignore GDPR If They Don't Have EU Offices

No. The absence of EU offices, EU employees, or EU legal entities does not exempt a company from GDPR. Article 3 makes clear that the regulation applies based on the location of data subjects, not the location of the data controller or processor. [6]

EU data protection authorities have pursued enforcement actions against non-EU companies for GDPR violations, demonstrating the regulation's genuine global enforcement reach. [4] While enforcement against a company with zero EU presence is logistically more complex, it is not impossible, particularly when the company has EU customers, EU revenue, or EU-facing digital assets that can be targeted.


What Happens If You Violate GDPR as a Non-EU Company

Non-compliance with GDPR can result in fines up to โ‚ฌ20 million or 4% of the company's global annual revenue, whichever is higher. [2] Beyond financial penalties, violations can result in:

  • Orders to stop processing EU personal data (which can effectively block EU market access)
  • Mandatory audits by supervisory authorities
  • Reputational damage and loss of customer trust
  • Civil claims from affected data subjects

For a non-EU company, the enforcement pathway typically runs through the appointed EU representative or through the supervisory authority in the EU member state where most of the company's EU data subjects are located.


How Do I Know If My Business Needs to Comply with GDPR

A business needs to comply with GDPR if it processes personal data of individuals located in the EU and meets either the "offering" or "monitoring" trigger described in Article 3(2). [6]

Quick self-assessment:

  1. Does your website or app accept registrations from EU users?
  2. Do you use cookies, pixels, or analytics tools that process EU user data?
  3. Do you send marketing emails to EU-based contacts?
  4. Do you employ staff based in EU member states?
  5. Do you process payment data from EU customers?

If the answer to any of these is yes, GDPR compliance obligations apply. A consent management platform such as Biscotti CMP can help organizations manage cookie consent and data subject preferences in a GDPR-aligned manner across their digital properties.


Does GDPR Apply to Small Businesses Outside Europe

GDPR applies to small businesses outside Europe if they process EU residents' personal data and meet the behavioral triggers. There is no blanket small business exemption based on company size or revenue.

That said, GDPR does include a limited exemption from the EU representative appointment requirement for organizations whose processing is occasional, does not include large-scale processing of sensitive data, and is unlikely to result in a risk to the rights and freedoms of individuals. [3] This is a narrow carve-out, not a general exemption from compliance.

A small blog with a handful of EU subscribers is technically within scope, though enforcement priority is naturally directed at higher-risk, higher-volume data processors.


How to Structure Data Handling to Comply with GDPR Globally

Many non-EU organizations have adopted GDPR-compliant practices across all operations, even where only a portion of their business involves EU citizens, because building separate data pipelines by jurisdiction is operationally expensive. [8]

Practical steps for global GDPR-aligned data handling:

  1. Conduct a data mapping exercise to identify what personal data is collected, where it is stored, and how it flows across systems.
  2. Establish lawful bases for each processing activity involving EU personal data.
  3. Implement a consent management solution for cookie and tracking consent on digital properties.
  4. Create a DSAR response process so EU residents can exercise their rights (access, erasure, portability) within required timeframes. [5]
  5. Execute Standard Contractual Clauses for any international data transfers to countries without EU adequacy decisions. [7]
  6. Appoint an EU representative if required under Article 27.
  7. Review and update your privacy policy to meet GDPR transparency requirements.
  8. Train relevant staff on data handling obligations and breach notification procedures.

What Are Common Mistakes Companies Make with GDPR Extraterritorial Rules

Non-EU companies face recurring compliance failures that expose them to enforcement risk. [5]

  • Assuming physical absence equals legal absence: The most common and costly mistake. GDPR scope is determined by data subject location, not company location.
  • Failing to appoint an EU representative: Many non-EU companies subject to GDPR overlook this requirement entirely.
  • Relying on outdated transfer mechanisms: Post-Schrems II, Privacy Shield is invalid. Companies still relying on it are non-compliant.
  • Ignoring DSARs from EU residents: Failing to respond to data subject requests within the required one-month window is a direct GDPR violation.
  • Treating consent as a checkbox: Consent under GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent are non-compliant.

What Is the Difference Between GDPR and Local Data Privacy Laws

GDPR is a comprehensive, rights-based framework that sets a high baseline for data protection across all sectors. Local data privacy laws, such as Brazil's LGPD, India's DPDP Act, or Japan's APPI, share many of GDPR's principles but differ in scope, enforcement mechanisms, and specific requirements.

Key distinctions:

  • Territorial scope: GDPR applies extraterritorially based on data subject location. Many local laws apply primarily within their own jurisdiction.
  • Consent standards: GDPR generally requires opt-in consent for non-essential processing. Some local laws permit opt-out models.
  • Enforcement: GDPR's fine structure (up to 4% of global revenue) is among the most severe globally. [2]
  • Sectoral vs. omnibus: The U.S. lacks a federal omnibus law; sector-specific laws (HIPAA, COPPA) coexist with state laws like CCPA. GDPR is a single omnibus regulation.

For global companies, GDPR compliance often serves as the de facto baseline because meeting its requirements satisfies many obligations under less stringent local frameworks.


Conclusion

The extraterritorial reach of the GDPR: why global companies must comply is not an abstract legal debate. It is an operational reality that affects any organization processing EU residents' personal data, regardless of where that organization is incorporated or headquartered. The compliance triggers are clear, the penalties are substantial, and enforcement has extended beyond EU borders.

Actionable next steps for 2026:

  • Audit your data flows to confirm whether EU personal data is being processed anywhere in your systems.
  • Verify that your cookie consent and tracking practices meet GDPR's opt-in standard, using a compliant tool such as Biscotti CMP.
  • Review your international data transfer agreements and confirm SCCs are in place where required.
  • Appoint an EU representative if your organization meets the threshold.
  • Establish or review your DSAR response process to ensure timely compliance.

Building GDPR compliance into global data operations is not just a legal obligation; it is increasingly a competitive signal that an organization takes data privacy seriously.


FAQ

Does GDPR apply if my company has no EU customers intentionally? If EU residents can access your service and their data is processed, the absence of deliberate targeting does not automatically exempt you. Supervisory authorities assess actual data flows, not marketing intent.

What is an EU representative under GDPR? An EU representative is a person or organization established in the EU that acts as a point of contact for data protection authorities and EU data subjects on behalf of a non-EU company subject to GDPR. [3]

Are there exemptions from GDPR for non-EU companies? The EU representative requirement has a narrow exemption for occasional, low-risk processing. However, there is no blanket exemption from GDPR compliance itself based on company size or non-EU location.

What are Standard Contractual Clauses (SCCs)? SCCs are pre-approved contractual terms issued by the European Commission that provide a legal mechanism for transferring personal data from the EU to countries without an adequacy decision. [7]

How long does a company have to respond to a DSAR? Under GDPR, organizations must respond to a Data Subject Access Request within one calendar month, extendable by two additional months in complex cases with notice to the requester. [5]

Can EU data protection authorities fine a company based outside the EU? Yes. While enforcement is more complex for companies with no EU presence, DPAs have pursued actions against non-EU companies, particularly those with EU-facing services or EU revenue streams. [4]

Is GDPR compliance a one-time project? No. GDPR compliance is an ongoing obligation. Data flows change, new processing activities are introduced, and regulatory guidance evolves. Regular audits and updates are required.

What is the difference between a data controller and a data processor under GDPR? A data controller determines the purposes and means of processing personal data. A data processor processes data on behalf of a controller. Both can have GDPR obligations, and non-EU entities can be either.


Interactive GDPR Compliance Checker


References

[1] GDPR For US Companies - https://www.recordinglaw.com/world-laws/world-data-privacy-laws/eu-data-privacy-laws/gdpr-for-us-companies/?utm_source=openai

[2] International Data Privacy Laws Rights And Compliance - https://legalclarity.org/international-data-privacy-laws-rights-and-compliance/?utm_source=openai

[3] Global Data Privacy Regulation Key Rules And Penalties - https://legalclarity.org/global-data-privacy-regulation-key-rules-and-penalties/?utm_source=openai

[4] GDPR Compliance For US Companies - https://www.igdpr.eu/en/gdpr-compliance-for-us-companies/?utm_source=openai

[5] Assessing The Impact Of GDPR On DSAR Compliance For Non-EU Companies - https://www.gdpr-advisor.com/assessing-the-impact-of-gdpr-on-dsar-compliance-for-non-eu-companies/?utm_source=openai

[6] Why Does GDPR Apply Outside The EU - https://www.cyberly.org/en/why-does-gdpr-apply-outside-the-eu/index.html?utm_source=openai

[7] How GDPR Affects Global Industry Compliance - https://www.cyberly.org/en/how-does-gdpr-affect-global-industry-compliance/index.html?utm_source=openai

[8] How GDPR Is Shaping Global Data Protection Policies Beyond The EU - https://www.gdpr-advisor.com/how-gdpr-is-shaping-global-data-protection-policies-beyond-the-eu/?utm_source=openai

โ† Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

๐Ÿข About UsFeaturesPricingDocumentation๐Ÿ” Cookie Check๐Ÿ“ฆ Downloads๐Ÿ“š Privacy & Consent Knowledge Base๐Ÿ“ Blog๐Ÿ“– Cookie Consent & Privacy Glossary๐ŸŒ Jurisdictionsโ™ฟ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
ยฉ 2026 Biscotti โ€“ A service of Campcruisers GmbH๐Ÿช Change cookie settings