GDPR for US Companies: Does It Apply to You?

A US company with no European office can still fall under the GDPR. The trigger is Article 3: if you offer goods or services to people in the EU, or monitor their behavior, the regulation reaches you across the Atlantic.

The short answer: a US address does not put you outside the GDPR

Many US founders assume the EU's General Data Protection Regulation is a European problem for European companies. It is not. The GDPR was deliberately written to reach beyond Europe's borders, and a company headquartered in Austin or Denver with no EU office, subsidiary, or bank account can still be squarely within its scope.

The rule that does this is Article 3, the GDPR's territorial-scope provision. It extends the regulation to organizations established outside the EU in two situations: when you offer goods or services to people who are in the EU, and when you monitor the behavior of people who are in the EU. If either applies to how your business actually operates, the GDPR's obligations attach to that processing, regardless of where your servers, staff, or headquarters sit.

This is general information, not legal advice: whether you are in scope turns on the specific facts of your business — the kind of judgment a privacy lawyer should make against the official text. Understanding the Article 3 triggers below will tell you whether that is a conversation you need to have.

How Article 3 reaches across the Atlantic

Article 3 sets out two independent paths to scope for a company outside the EU. You only need one of them to apply.

The first is offering goods or services to data subjects in the EU — whether or not money changes hands, so a free app or newsletter counts. The key word from the regulation and the regulators' guidance is intention: it is not enough that a German tourist happens to buy from your US website. The question is whether you envisage offering your goods or services to people in the EU (the concrete signals of that intent are in the next section).

The second path is monitoring the behavior of people in the EU, as far as that behavior takes place within the EU. In practice this captures online tracking: behavioral advertising, analytics that profile individuals, cookies and pixels that follow EU users across sites, and similar profiling used to predict preferences or make decisions. A US SaaS product that profiles EU website visitors can be monitoring them even with no EU sales at all.

Note what does not matter under Article 3: citizenship and your own location. The test is about people who are in the EU at the time, not their nationality, and it applies to you no matter where your company is based.

Practical signals you may already be in scope

Abstract legal tests are hard to act on, so here are the concrete patterns that most often pull a US company into scope. None is a definitive yes on its own, but several together strongly suggest you should get advice.

You have EU customers by design — you sell, ship, or offer a service into EU member states, accept euros, localize your site or pricing for European markets, or list EU countries in a checkout dropdown. You deliberately target EU traffic — you run ads aimed at EU audiences, do SEO for European search terms, or translate marketing into EU languages. You track and profile EU visitors — your analytics, advertising pixels, or product telemetry build behavioral profiles of identifiable people in the EU. And a quieter trigger many overlook: you have staff, contractors, or job applicants in the EU, whose personal data you are already processing.

If several of those lines describe your business, treat "are we in scope?" as a live question rather than a settled no. The cost of being wrong — a complaint to a supervisory authority, an enforcement inquiry, or a deal you cannot close because you cannot answer a buyer's data-protection questions — is real, while the cost of getting the documentation foundation in place is modest.

Your core obligations if you are in scope

If Article 3 catches you, you take on the same substantive obligations as an EU-based controller for the processing in scope. The headline duties for a typical small business are these.

Identify a lawful basis for every processing activity: the GDPR permits no processing without one of the six bases in Article 6 — consent, contract, legal obligation, vital interests, public task, or legitimate interests — chosen before you process. Publish a transparent privacy notice covering, in plain language, what data you collect, why, your lawful basis, how long you keep it, and how to exercise rights. Honor data-subject rights, including responding to access requests (DSARs) within one month. Keep Records of Processing Activities under Article 30 — the written inventory of what you process, why, who receives it, and for how long; note that Article 30(5) gives organizations under 250 employees a narrow exemption, but it falls away for processing that is not occasional, that is likely to risk people's rights, or that involves special-category data, so most active businesses end up keeping records anyway (confirm how it applies to you against the official text). Put Data Processing Agreements under Article 28 in place with your processors — the vendors handling personal data on your behalf, such as your CRM, email host, payroll, and cloud provider. And maintain a breach process: notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware (Article 33), and notify affected individuals where the breach is likely to result in a high risk to them.

Two further obligations may apply. An organization with no EU establishment that is in scope under Article 3(2) generally must designate an EU-based representative under Article 27, unless a narrow exemption applies. And a Data Protection Officer is mandatory under Article 37 only in specific cases — broadly, large-scale systematic monitoring or large-scale processing of special-category data — so most small businesses are not required to appoint one, though some do voluntarily. Because these thresholds turn on specifics, confirm the current requirements against the official GDPR text and with privacy counsel.

What to do if you are unsure

Uncertainty is the normal starting point, and there is a sensible sequence for resolving it without overreacting.

Start by mapping reality. Write down where your users, customers, employees, and contractors actually are, and what personal data you collect from people in the EU and how — sales, sign-ups, analytics, advertising, hiring. This data-mapping exercise is the single most useful thing you can do, because it turns the vague "does GDPR apply?" into a concrete list of processing activities you can each assess against the two Article 3 triggers. Be honest about marketing intent and tracking, which are where most US companies are surprised to find themselves in scope.

Where the answer is yes or genuinely unclear, get advice from a qualified privacy professional before assuming either way — both over-claiming compliance and wrongly deciding you are exempt carry risk. A lawyer can also confirm specialized questions, such as whether you need an Article 27 EU representative. In parallel, begin assembling the documentation layer any in-scope program needs: that work is useful regardless of the final conclusion and gives counsel something concrete to refine rather than a blank page.

Where a template fits — and where it doesn't

It is worth being precise about what documentation can and cannot do, because the GDPR is enforced on practice, not paperwork.

A template or toolkit is the documentation layer of a privacy program, not the program itself. A good GDPR document set gives you the artifacts the regulation expects you to produce — a privacy notice, a Records of Processing Activities workbook for Article 30, a DSAR procedure, a DPIA procedure, a breach-response plan, and a processor/DPA checklist — already structured to the right articles, so you tailor them rather than draft from scratch. That removes the slowest, most error-prone part of getting ready, and it is the same kind of evidence a customer, auditor, or supervisory authority will ask to see.

What a template cannot do is make you "GDPR compliant." There is no certificate that confers GDPR compliance, and no document makes you compliant on its own; compliance is the ongoing result of how you actually collect, secure, use, and delete personal data, and of honoring people's rights. The documents support that work, but you still have to operate the program and, where your facts warrant it, confirm the specifics with privacy counsel. Used that way, a toolkit is a genuine head start; treated as a finish line, it is a false sense of security.

Frequently asked questions

Does the GDPR apply to a US company with no office in the EU?

It can. Under Article 3, the GDPR reaches organizations outside the EU when they offer goods or services to people who are in the EU, or monitor the behavior of people in the EU. Neither requires an EU office, subsidiary, or bank account — so a US-based company with no European presence can still be in scope for that processing. Because it turns on your specific facts, confirm your situation with privacy counsel and against the official GDPR text.

What counts as 'offering goods or services to people in the EU'?

The test is intention, not an accidental EU sale. A German tourist buying from your US site does not by itself put you in scope; the question is whether you envisage offering to people in the EU. Signals that you do include pricing in euros, EU-language options, an EU country-code domain, shipping to or naming EU member states, and marketing aimed at EU audiences. Offering for free still counts — no payment is required for the trigger to apply.

Does tracking EU website visitors trigger the GDPR?

It can. Article 3's second trigger is monitoring the behavior of people in the EU, which regulators read to include online tracking and profiling — behavioral advertising, analytics that profile individuals, and cookies or pixels that follow EU users. A US company that profiles identifiable EU visitors can be in scope even with no EU sales. Confirm the specifics for your tracking setup with a qualified privacy professional.

Do I need an EU representative or a Data Protection Officer?

They are different requirements. An in-scope organization with no EU establishment generally must designate an EU-based representative under Article 27, unless a narrow exemption applies. A Data Protection Officer is mandatory under Article 37 only in specific cases — broadly, large-scale systematic monitoring or large-scale special-category processing — so most small businesses are not required to appoint one. Both turn on your facts, so verify the current requirements against the GDPR text and with counsel.

Will a GDPR template make my US company compliant?

No. There is no certificate that confers GDPR compliance, and no document set makes you compliant on its own. A toolkit gives you the documentation layer the regulation expects — a privacy notice, an Article 30 Records of Processing Activities workbook, a DSAR procedure, a DPIA procedure, a breach-response plan, and a processor/DPA checklist — so you tailor rather than draft from scratch. Compliance still comes from how you actually process personal data and honor individuals' rights, confirmed where needed with privacy counsel.

Related guides: GDPR

Toolkits that help

← All articles