Skip to main content
Cyber Monday

Deal expires in

- Days
:
- Hours
:
- Minutes
:
- Seconds

Get up to 50% off on CookieYes!

Show popup

GDPRPrivacy Laws

17 min read

Does GDPR Apply to Businesses Outside the EU? The Complete Guide

By Safna November 8, 2024

Expert reviewed

Does GDPR Apply to Businesses Outside the EU? The Complete Guide

Data transcends geographical boundaries, as does the General Data Protection Regulation (GDPR). The law has become a global benchmark for businesses beyond European borders. In addition to the 27 EU member states and countries in the European Economic Area (EEA), GDPR’s reach covers all data processing activities involving the personal data of EU citizens. Find out the scope of GDPR outside the EU in this blog.

How does GDPR impact non-EU businesses?

The GDPR is known for its global applicability. It requires any business collecting European personal data to handle it responsibly, regardless of its location. 

Related Reads

Who does GDPR apply to?

GDPR impacts businesses outside the EU in the following ways.

#1 Non-EU businesses offering products or services to EU residents

GDPR brings companies outside Europe within the law’s scope if they offer products or services to data subjects in the union.  

Consider an online textile business that operates solely within India but has gained international recognition. Customers worldwide, particularly in Europe, frequently visit its website to purchase products. To enhance the shopping experience, the company offers the option to customise currency selections to reflect those used in different European countries. Given this context, does the company need to be GDPR-compliant? 

The example above illustrates how the Indian company enables EU customers to customise the currency according to their preferences, making the shopping experience convenient for them. This indicates the company’s commitment to catering to European consumers. 

Thus, companies are considered to be targeting EU data subjects when they demonstrate such intention and must implement GDPR.

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

GDPR Recital 23

Here are more ways that demonstrate an intention to offer its products or services to EU data subjects:

  • Promotional content in EU-specific languages 
  • Mentions of EU customers or clients
  • Website versions created specifically for EU member states
  • Options to choose EU as the location for customised content
  • Uses EU-specific cultural references
  • Streaming service offering content dubbed in multiple EU-specific languages

Merely being accessible in Europe, like in any other country, doesn’t necessarily imply that there’s an intention to market to those customers.

Example

A Japanese online gaming application is available in both Japanese and English language. All the games in the app resemble traditional Japanese games and are promoted exclusively to Japanese customers. In this context, GDPR may not apply just because it is available in the English language. However, if the application is frequently used by Europeans and hence involves their personal data, GDPR might still apply.

#2 Non-EU businesses Monitoring the behaviour of EU citizens

Monitoring EU citizens typically involves tracking the online activities of individuals and using such information to analyse and predict their behaviour, interests, etc. This is probably how you get music suggestions that suit your taste or advertisements of products that you previously searched about. Though this is convenient for businesses, customers may not prefer being followed around the internet.

Examples of monitoring activities

  • A Kentucky-based online retailer sending targeted advertisements and marketing emails to EU customers based on their search history and online activities.
  • A Malaysian travel agency promoting tour packages in EU-specific languages to European customers based on their internet searches.

GDPR takes monitoring seriously and requires all websites collecting personal data from Europeans with tracking technologies like cookies to provide cookie banners. These banners allow data subjects to choose whether to allow cookies on their devices. 

Not all cookies need consent. Essential/necessary cookies such as the ones used for load balancing can be used without getting user consent.

A survey conducted in 2021 revealed that 61% of website visitors from the UK agreed to cookies and 12% neither agreed nor disagreed with it. This means organisations were still able to use cookies despite the strict requirements, except that this time it was data subject-friendly. 

Any website can obtain cookie consent by providing cookie banners when a user visits the website. This way you can use data while maintaining GDPR compliance. Fortunately, this is possible without burning your pocket using a Consent Management Platform (CMP). CookieYes is best at it with 1.5 million+ users and is a certified Google CMP Gold Partner with IAB TCF compliance. 

Become cookie-compliant with CookieYes

Fool-proof cookie consent solution for businesses

14-day free trialCancel anytime

#3 Cross-border data transfer with third countries

The GDPR guarantees that the protection it provides remains with the data, even when it is transferred outside the European Union. That is why businesses transferring EU personal data to third countries (non-EU countries) must look for adequacy decisions or have Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) to ensure that the data is protected. 

If a country is determined to have adequacy in data protection, data transfers can be made without any additional safeguards. The decision is based on many factors such as how efficient their data protection laws are, privacy rights offered, supervisory authorities, etc. The following are some of the countries recognised as having adequate data protection.

  • Argentina
  • Andorra
  • Canada
  • Faroe Islands
  • Japan 
  • New Zealand
  • Switzerland

SCCs and BCRs are alternative solutions to the lack of adequacy decision made by the European Commission. 

Requirements for non-EU entities

Non-EU companies that fall within the scope of GDPR should implement adequate measures to become compliant with the law.

 The following are the key GDPR requirements:

Data minimisation and purpose limitation

Keep the data collection and its usage to the minimum and strictly aligned with the specific purpose of collection. Avoid collecting unnecessary personal data or using it for secondary purposes. 

Milestones on the way to compliance

  • Conduct data mapping and identify the types of data you collect
  • Determine for how long you will retain the data
  • Understand data flows
  • Keep the database updated
  • Remove any unused or unnecessary personal data
  • Use data mapping tools if necessary

Have a Lawful basis for processing

Lawful bases are like green cards for data processing and there are six of them- Consent, contract, legal obligation, legitimate interest, public task, and vital interest.

All entities should determine at least one lawful basis to justify their data collection. Out of these, businesses mostly rely on consent and legitimate interest. 

Milestones on the way to compliance

  • Determine the legal bases for each type of processing
  • The legal bases must be identified initially
  • Specify it in the privacy policy
  • Ensure the consistency of legal bases and avoid repurposing data under a new basis without full legal compliance
  • Implement consent mechanisms if consent is the basis

Implement data security

The European data protection law requires businesses to implement adequate security measures to safeguard personal data. These measures must be proportionate to the nature and amount of data that a business handles. 

For example, special categories of personal data need heightened security than general personal data. The security should be even greater if you handle a significant amount of special categories of personal data.

Milestones on the way to compliance

  • Encrypt personal data
  • Implement role-based access controls
  • Use multi-factor authentication
  • Train employees on data security
  • Conduct regular backups
  • Have an incident response plan

Honour data subject rights

Non-EU companies must also honour GDPR data subject rights if they come under GDPR’s scope. 

Following are the 8 GDPR rights:

  • Right to be informed
  • Right to access
  • Right to restrict
  • Right to object
  • Right to data portability
  • Right to erasure
  • Right to rectification 
  • Rights against automated decision-making

Milestones on the way to compliance

  • Have a data subject request mechanism
  • The mechanisms should be convenient 
  • Develop standardised response templates
  • Keep the data in a portable format
  • Update data inventory regularly to quickly locate data 
  • Verify the requests 
  • Fulfill the requests without unnecessary delay

Maintain transparency 

The transparency requirements under GDPR are a commitment towards clear communication between data controllers and data subjects. The law mandates that businesses provide information about their data-handling practices to individuals. This can be fulfilled by providing a privacy policy, also known by the names privacy notice, privacy statement, etc.

Milestones on the way to compliance

  • Create a GDPR-compliant privacy policy with all the necessary components
  • Ensure that the privacy policy is clear and easy to understand
  • Use plain language
  • Avoid jargon
  • Make the policy accessible and conspicuously available
  • Leverage efficient privacy policy generators like CookieYes

Need a privacy policy for your website?

Generate a GDPR-compliant privacy policy using CookieYes

No sign-up required

Conduct Data Protection Impact Assessments (DPIAs)

Conduct impact assessments to assess your data processing activities and identify any risks associated with them. This is necessary if you handle high-risk data such as special categories of personal data/sensitive data or data used for profiling. 

Milestones on the way to compliance

  • Identify high-risk processing activities
  • Develop a DPIA framework
  • Update the data inventory regularly
  • Analyse potential risks and impacts
  • Consult privacy professionals
  • Identify and document risk mitigation measures

Appoint a Data Protection Officer (DPO) and representative

DPOs are like the compliance architects of a company. They design and oversee the framework to protect personal data. A DPO evaluates whether the data processing is compliant with the GDPR regulations, assesses privacy risks, and also acts as a point of contact between the organisation and Data Protection Authorities (DPAs).

Non-EU companies handling European personal data must also appoint a representative in the EU.

Milestones on the way to compliance

  • Assess the need for a DPO 
  • Define the roles and responsibilities of a DPO
  • Provide them with sufficient resources to fulfil their responsibilities
  • Select a qualified expert
  • Publish the DPO’s contact details to supervisory authorities, employees and individuals

Ensure third-party compliance

GDPR requires data controllers handling EU personal data to have contractual agreements, known as data processing agreements with data processors who process data on their behalf. Such contracts must ensure the compliance of data processors and determine their roles and duties concerning data processing.

Adequacy in Cross border transfer

If you engage in international transfers of personal data within your organisation or outside, you must confirm that such transfers are made with adequate protection. If it is with countries having an adequacy decision, no extra steps may be needed. Otherwise, you may rely on BCC or SCC.  

Penalties for non-compliance

Organisations that sidestep GDPR requirements could face substantial financial consequences. GDPR fines for non-compliance can be as high as 20 million euros or 4% of the global annual turnover. The amount mostly depends upon the nature of the data breach, its seriousness, frequency of violations, business size, etc.

In addition to monetary consequences, companies can also face bans on data processing, warnings and reprimands from supervisory authorities.

Key steps for Non-EU businesses to comply with GDPR 

If you are a non-EU business and are bound by GDPR’s data privacy requirements, here is a quick checklist for you.

  • Understand GDPR and its key criteria and requirements
  • Appoint a representative in the EU
  • Practice data minimisation and purpose limitation
  • Identify legal bases for processing
  • Conduct data mapping and keep the data inventory updated
  • Provide a clear and conspicuous privacy policy to data subjects
  • Implement reasonable data security measures
  • Use privacy-compliant CMPs like CookieYes for your online platforms
  • Conduct impact assessments
  • Establish convenient mechanisms for the data subjects to exercise their GDPR rights
  • Ensure adequacy in cross-border transfers
  • Appoint a DPO

FAQ on GDPR outside the EU

Does GDPR apply to US companies?

GDPR applies to US companies if they process EU residents’ personal data, offer them products or services, or monitor their behaviour.

Who does GDPR protect?

GDPR protects individuals living in the European Union regardless of their nationality.

Safna

Safna Y Yacoob is a data privacy writer at CookieYes with a law degree and certifications in the field. Dedicated to simplifying complex legalese, she stays current with data privacy trends through continuous learning.

Keep reading

Featured image of Best Black Friday & Cyber Monday SaaS Deals for 2024

Best Black Friday & Cyber Monday SaaS Deals for 2024

Here are our top picks for Black Friday and Cyber Monday SaaS deals for 2024. Grab them before they expire and save big!

Read more
Featured image of 10 Must-Have Clauses in Your Data Processing Agreement

Privacy Laws

10 Must-Have Clauses in Your Data Processing Agreement

Establish a strong and effective controller-processor relationship by incorporating these key clauses into your Data Processing Agreement.

Read more
Featured image of What Is Consent-Based Marketing? Benefits, Strategies & More

Consent

What Is Consent-Based Marketing? Benefits, Strategies & More

Consent-based marketing more than just ticking boxes— it's about building a privacy-first, user-centric strategy that respects user preferences. Let’s explore what it is, how it works, & why it’s essential.

Read more

Show all articles