Who Does GDPR Apply To and Why?

The General Data Protection Regulation is a wide-ranging set of information security and consumer privacy laws aimed at protecting personal data and privacy. The European Union officially implemented GDPR in May of 2018 to empower EU citizens with control over their data and prevent abusive data collection practices. One of the most common questions for U.S. businesses is who GDPR applies to. Is your company required to comply with GDPR guidelines?

Who Needs To Comply With GDPR?

GDPR applies to any organization that processes the personal data of EU citizens or residents. This includes several main groups:

• EU companies: All organizations in the EU have to comply with GDPR, even for data stored or analyzed by firms outside of Europe.
• International brands with EU locations: Brands that have a base in Europe must follow GDPR when it comes to local consumers.
• B2B companies with EU customers: GDPR also applies to the data of business professionals, such as their names, email addresses, business phone numbers, IP addresses, and other data that could identify them.
• U.S. businesses with customers in the EU: Manufacturers, exporters, dropshippers, business consultants, and other companies that offer products and services in the EU need to comply with GDPR.

In case you’re wondering, data processing refers to collecting, storing, analyzing, sharing, or otherwise using the information. There are even GDPR rules around deleting consumer data. Basically, GDPR is applicable in the U.S. whenever your company handles private data from EU residents.

When Does GDPR Apply to Online Businesses?

For companies with major customers in Europe, it’s fairly obvious that complying with GDPR is necessary. It’s easier for e-commerce businesses to violate GDPR guidelines without realizing it. If any of the following situations apply to your website or e-commerce store, you need to learn about GDPR compliance ASAP:

• You offer a marketplace for global customers and offer international shipping, including to EU countries.
• You regularly make sales to EU citizens.
• You send data on EU customers to a third-party processor, such as MailChimp or FedEx.
• Your company has a distribution center in the EU or does business with an EU-based shipping company or supplier.
• Your website tracks traffic from EU visitors and uses cookies to analyze their data.
• You dropship products to EU citizens.
• You actively market your services to markets around the world, including EU member states.
• You created marketing content for European audiences, perhaps even translating content to German, Spanish, Portuguese, French, Italian, or Polish.

In other words, even if your primary business activities revolve around U.S. customers, branching out to European markets requires carefully investigating your obligations and complying with GDPR.

Does GDPR Apply to U.S. Citizens?

GDPR protections can apply to U.S. citizens who are living in an EU member country, even temporarily. Citizenship isn’t a requirement, as GDPR applies based on residency in an EU country. GDPR is a region-based set of regulations, not an ID-based law.

Imagine that your company headquarters are in Miami, but you have offices in Berlin. You decide to transfer several employees from Miami to Germany. Even though they are U.S. citizens, they will live in Berlin for months or years.

GDPR would apply to all of them. You would have to follow GDPR guidelines when it comes to obtaining consent for data processing, videoconferencing, mobile tracking, and similar elements.

The same goes for U.S. citizens who purchase products in the EU while visiting They enjoy the same personal data protections as residents.

Is GDPR Applicable in the US?

What if an EU citizen travels to the U.S.? Does your business have to treat them differently than other customers? No. EU citizens don’t enjoy any special protections when traveling abroad. You only need to follow U.S. consumer protection laws in this situation.

Who Does GDPR Not Apply To?

While GDPR always applies to businesses in the EU, the same isn’t always the case for companies that are located in the United States. For example, it doesn’t apply to incidental or occasional transactions.

Say that your e-commerce business sells products in the United States. All of your marketing focuses on an American audience. Of course, the internet means you can’t control who visits your website. Just because a few people in France browsed your website or decided to order a few products, you’re not suddenly obligated to comply with GDPR.

That said, you have to be careful if you use paid search advertising with website cookies. Some Google and Facebook tools allow you to target website visitors with ads, and this can break GDPR requirements. To get around this problem, set regional advertising restrictions.

There are also GDPR exceptions for small businesses. Any company with fewer than 250 employees is not usually required to create a record of data processing activities (unless your business revolves around data collection or the information is likely to hurt consumers if leaked). You would still need to get consent before gathering or using EU consumer data, however.

What Does GDPR Compliance Involve for E-Commerce Businesses With EU Clients?

The GDPR has 99 articles and dozens of pages of requirements, so it’s important to carefully review your obligations if you sell in the EU. Some of the main principles involve:

• Only gathering personal data for legitimate purposes, such as selling products or marketing to customers
• Obtaining consent before processing data
• Clearly spelling out how and when you process data in your privacy policy
• Limiting data collection to the minimum necessary and for as short a time as possible
• Processing personal data in a secure manner, such as using encryption
• Keeping accurate records of all data gathering
• Allowing customers to see the data you have collected and delete their data on request

Not surprisingly, many enterprises employ legal professionals to understand the scope of their responsibilities under GDPR, and to coordinate compliance.

Does GDPR Apply To Your Business?

The key factor that determines whether GDPR applies to a business is where its customers reside. If you operate, sell products, or market your services in the EU, then GDPR compliance is a must. Compyl can make complying with GDPR requirements easier by helping you set objectives, follow data security best practices, track progress, and create automated workflows around data gathering. Get GDPR compliant and grow your business in the EU safely.