GDPR for US Companies: Complete Compliance Guide (2026)
October 30, 2025
Updated: February 22, 2026
28 min read
Data Protection
GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law that applies to any US company offering goods or services to people in the EU or monitoring their behaviour, regardless of where the company is headquartered, where its servers are located, or whether it has a physical European presence.
Here's a stat that should get the attention of every US company with international ambitions: thousands of GDPR fines have been issued since May 2018, totalling more than €7 billion. And it's not just European companies getting fined — US tech giants, ad-tech firms, and even mid-market SaaS companies have been hit with enforcement actions by EU data protection authorities.
Yet many American businesses still assume GDPR doesn't apply to them. "We don't have offices in Europe." "We're a US company governed by US law." "Our servers are in Virginia." None of these arguments hold up. GDPR applies to you if you offer goods or services to people in the EU or monitor their behaviour — regardless of where your company is headquartered, where your servers are located, or where your employees sit.
This guide explains exactly when GDPR applies to US companies, what you need to do to comply, how the EU-US Data Privacy Framework (DPF) works, what an Article 27 representative is and why you probably need one, and how to build a practical compliance programme — including why many US companies are turning to EU-based compliance partners in cost-effective markets like Croatia to manage their obligations efficiently.
Quick Reference
Details
Does GDPR apply to US companies?
Yes — if you offer goods/services to EU individuals or monitor their behaviour (Article 3(2))
Key triggers
EU-language website, accepting EUR, targeting EU customers, tracking EU users, EU employees
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
EU representative required?
Yes — Article 27 requires non-EU companies to appoint an EU-based representative
DPO required?
If your core activities involve large-scale monitoring or processing of special category data
EU-US Data Privacy Framework
Self-certification mechanism for US-to-EU data transfers — operational since July 2023
$15,000–$80,000/year (significantly lower with EU-based partners like Croatian providers)
Key Takeaways
GDPR applies to US companies that offer goods or services to EU individuals or monitor their behaviour — there is no revenue threshold, no employee count minimum, and no exemption for being a US entity
The two triggers are (a) offering goods/services to EU data subjects (e.g., EU-language website, EUR pricing, shipping to EU) and (b) monitoring behaviour (e.g., cookies, analytics, ad targeting on EU users)
If GDPR applies, you must appoint an EU-based representative under Article 27 — this is a legal requirement, not a recommendation, with fines of up to €10M or 2% of turnover for non-compliance
The EU-US Data Privacy Framework (DPF) provides a legal mechanism for transferring personal data from the EU to the US, but requires self-certification through the Department of Commerce and ongoing compliance obligations
US companies face unique challenges: no comprehensive federal privacy law means your existing compliance programmes (state laws, HIPAA, GLBA) may not cover GDPR requirements
Enforcement against US companies is real and growing: Meta (€1.2B fine), Amazon (€746M), and many smaller companies have faced GDPR enforcement actions
Working with EU-based compliance partners — particularly in cost-effective markets like Croatia — gives you local expertise, DPA relationships, and 40-60% lower costs than using Big Four consultancies or Western EU firms
Start with a data mapping exercise to understand what EU personal data you process, then build your compliance programme around the findings
Short answer: If you have any meaningful interaction with EU-based individuals — as customers, users, employees, or data subjects — almost certainly yes.
Long answer: GDPR Article 3(2) extends the regulation's reach beyond the EU's borders. It applies to non-EU controllers and processors when either of two conditions is met:
Trigger 1: Offering goods or services to EU data subjects
You're caught by GDPR if you offer goods or services — whether paid or free — to individuals in the EU. The EDPB has identified indicators including:
Indicator
Example
EU languages on your website (beyond English)
German, French, Spanish, Italian, Croatian language options
EU currencies accepted
EUR pricing, GBP payment options
EU-specific domains
.eu, .de, .fr, .nl, .hr extensions
Shipping to EU addresses
EU delivery options in your checkout
References to EU customers
Marketing targeting EU markets, EU testimonials
EU-specific regulations mentioned
CE marking, EU sizing standards
EU app store availability
App specifically available/marketed in EU app stores
Trigger 2: Monitoring the behaviour of EU data subjects
You're caught by GDPR if you monitor the behaviour of individuals in the EU:
Activity
Applies?
Website analytics (Google Analytics, Mixpanel) tracking EU visitors
Yes
Cookie-based advertising targeting EU users
Yes
Behavioural profiling of EU individuals
Yes
Location tracking of EU-based app users
Yes
A/B testing with EU user segments
Likely yes
Email open tracking for EU recipients
Likely yes
Social media pixel tracking of EU visitors
Yes
Quick assessment: Does GDPR apply to you?
Answer yes to any one of these questions, and GDPR likely applies:
Do you have customers, users, or subscribers in the EU?
Does your website accept visitors from EU countries?
Do you use analytics or advertising technology that tracks EU users?
Do you have employees, contractors, or partners based in the EU?
Do you process personal data of EU individuals for any purpose?
Do you sell products or services that are available to EU residents?
Does your mobile app have EU users?
Do you receive emails from EU-based individuals and store their data?
If your answer to every single question is genuinely "no," GDPR doesn't apply. For most US companies with any international presence — even an English-language website with EU visitors — at least one trigger applies.
How GDPR's Extraterritorial Scope Works
Article 3(2) is what makes GDPR truly global:
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or(b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
Key principles for US companies
1. Citizenship doesn't matter
GDPR protects anyone "who is in the Union" — not just EU citizens. A US citizen living in Berlin is protected. An Australian tourist visiting Paris is protected while in the EU.
2. Revenue doesn't matter
There's no de minimis threshold. A two-person US startup with 10 EU users has the same legal obligations as a Fortune 500 company with millions of EU customers.
3. Server location doesn't matter
Your data can be on AWS in Virginia. GDPR applies to the processing, not to where the servers sit.
4. "Not targeting the EU" isn't a defence
If you're a US e-commerce site that happens to receive orders from EU customers, GDPR applies. The key question is whether you're offering goods or services to EU individuals, and an accessible website with international shipping qualifies.
5. Free services count
"We don't charge EU users" doesn't help. Free services that process personal data (analytics, advertising, social media) are covered.
GDPR Requirements for US Companies: Complete Checklist
Foundational requirements
Requirement
GDPR Article
Priority
Appoint an EU representative
Article 27
Critical — legally required
Appoint a DPO (if applicable)
Articles 37-39
High — if criteria are met
Lawful basis for processing
Article 6
Critical — must have a legal basis for every processing activity
Consent management
Articles 6-7
High — for marketing, cookies, non-essential processing
Privacy notice
Articles 13-14
Critical — must inform EU data subjects
Records of processing activities
Article 30
High — maintain ROPA
Data protection by design
Article 25
High — embed privacy into product development
Data processing agreements
Article 28
High — for all processors handling EU data
International transfer mechanisms
Articles 44-49
Critical — for EU-to-US data flows
Data breach notification
Articles 33-34
Critical — 72-hour notification to DPA
Data subject rights processes
Articles 15-22
High — must be able to respond within 30 days
DPIA for high-risk processing
Article 35
High — for profiling, large-scale processing, new technologies
Step-by-step compliance path
Step 1: Data mapping (Weeks 1-3)
Identify all EU personal data you process: what data, whose data, why you have it, where it flows, who has access.
Step 2: Legal basis assessment (Weeks 2-4)
For each processing activity, determine the lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interest.
Step 3: Appoint EU representative (Weeks 2-4)
Engage an Article 27 representative in an EU member state. Croatia offers cost-effective representation with full EU regulatory standing.
Step 4: Update privacy notices (Weeks 3-5)
Create GDPR-compliant privacy notices covering all required information elements from Articles 13-14.
Step 6: Establish data subject rights processes (Weeks 4-6)
Build processes to handle access, erasure, portability, and other rights requests within the 30-day GDPR deadline.
Step 7: Implement transfer mechanisms (Weeks 5-8)
Self-certify under the EU-US DPF and/or implement Standard Contractual Clauses for data transfers.
Step 8: Create breach notification procedures (Weeks 6-8)
Establish processes to detect, assess, and notify breaches within 72 hours.
Step 9: Conduct DPIAs (Weeks 6-10)
Perform Data Protection Impact Assessments for high-risk processing activities.
The EU-US Data Privacy Framework (DPF) is the current mechanism enabling personal data transfers from the EU to certified US organisations. It replaced the invalidated Privacy Shield (struck down in Schrems II, July 2020) and became operational on 10 July 2023 following the European Commission's adequacy decision.
How DPF works
Step
Details
1. Self-certify
Register with the Department of Commerce's DPF programme
2. Commit to principles
Agree to DPF principles: notice, choice, accountability, security, data integrity, access, recourse
3. Identify data types
Specify whether you process HR data, non-HR data, or both
4. Annual re-certification
Renew certification annually with DoC
5. Ongoing compliance
Maintain privacy policies, dispute resolution, cooperation with DPAs
DPF requirements for US companies
Requirement
Details
Privacy policy
Must comply with DPF principles and be publicly available
Independent dispute resolution
Must designate an independent body for EU individual complaints
Cooperation with DPAs
Must cooperate with EU DPAs on HR data complaints
Accountability for onward transfers
Contractual obligations when sharing data with third parties
FTC/DoT enforcement
Subject to FTC or DoT enforcement for DPF violations
Annual re-certification
Must re-certify annually or face removal from the DPF list
DPF limitations and risks
Risk
Consideration
Legal challenge
NOYB and other privacy organisations may challenge DPF (as they did with Safe Harbor and Privacy Shield)
Not comprehensive
DPF only covers transfers to certified US organisations — not all US entities
Sector limitations
Only organisations subject to FTC or DoT jurisdiction can self-certify
Ongoing obligations
Failure to maintain compliance can result in FTC enforcement actions
Belt and suspenders
Many companies implement DPF and SCCs as a backup
Alternative transfer mechanisms
If DPF doesn't work for your situation:
Mechanism
Use Case
Standard Contractual Clauses (SCCs)
Most common alternative; requires Transfer Impact Assessment
Binding Corporate Rules (BCRs)
Intra-group transfers in multinational companies
Derogations (Article 49)
Limited exceptions: explicit consent, contract necessity, public interest
Article 27: Why You Need an EU Representative
If GDPR applies to your US company under Article 3(2), you are required by Article 27 to designate a representative physically established in the EU. This is one of the most overlooked obligations for US companies — without a representative, DPAs have no one to contact in the EU, business partners may refuse to work with you, and it is an independently fineable violation (up to EUR 10M or 2% of turnover).
Varies — FTC consent orders, state AG actions, sector-specific penalties
Enforcement
Independent DPAs in each EU member state
FTC, state AGs, sector regulators
Legal basis required
Yes — must identify legal basis for each processing activity
Generally no (except for regulated sectors)
DPO/privacy officer
Mandatory in certain cases
Voluntary (except in some regulated sectors)
International transfers
Strict requirements (adequacy, SCCs, DPF)
Generally unrestricted
Privacy by design
Legal requirement (Article 25)
Best practice, not legally mandated
Key implication for US companies
Your existing US privacy compliance (CCPA/CPRA, HIPAA, state laws) does not automatically satisfy GDPR. You need a separate, dedicated GDPR compliance programme. If you also serve the UK market post-Brexit, note that the UK GDPR diverges in several important ways — see our GDPR vs UK GDPR guide for the key differences. Companies with mature US privacy programmes have a head start — the concepts are similar even if the requirements differ.
Building a GDPR Compliance Programme
Phase 1: Assessment (Months 1-2)
Activity
Deliverable
Data mapping
Complete inventory of EU personal data processing
Legal basis analysis
Legal basis assigned to each processing activity
Gap assessment
Compliance gaps identified and prioritised
Risk assessment
Risk register with impact and likelihood ratings
Vendor inventory
List of all processors handling EU data with their locations
Phase 2: Implementation (Months 2-4)
Activity
Deliverable
Privacy notices
GDPR-compliant notices for all touchpoints
Consent management
Cookie consent, marketing consent, consent records
Data subject rights processes
Documented procedures with 30-day SLAs
Data processing agreements
Article 28-compliant DPAs with all processors
Transfer mechanisms
DPF certification and/or SCCs in place
Breach response plan
72-hour notification procedures
EU representative
Appointed and listed in privacy notice
DPO (if required)
Designated and registered with DPA
Phase 3: Operationalisation (Months 4-6)
Activity
Deliverable
Employee training
GDPR awareness training for all staff handling EU data
Privacy by design processes
Privacy review integrated into product development
DPIA framework
Process for conducting DPIAs on high-risk processing
ROPA maintenance
Ongoing records of processing activities
Vendor management
Due diligence process for new processors
Phase 4: Ongoing compliance (Continuous)
Activity
Frequency
Regulatory monitoring
Continuous
Privacy notice updates
As processing changes
Annual compliance review
Annually
Training refresh
Annually
DPF re-certification
Annually
DPIA reviews
When processing changes materially
International Data Transfers: EU to US
For US companies, the data transfer question is paramount. Every time EU personal data flows to your US servers, you need a legal transfer mechanism. Understanding data sovereignty requirements in the EU is essential context for these decisions.
Transfer mechanism comparison
Mechanism
Cost
Complexity
Reliability
Recommended?
EU-US DPF
Low ($0 filing)
Moderate
Subject to legal challenge
Yes, as primary mechanism
SCCs (2021 version)
Moderate
High (TIA required)
Well-established
Yes, as backup or alternative
Binding Corporate Rules
High ($50K-$200K+)
Very high (DPA approval required)
Very reliable once approved
Only for large multinationals
Consent (Art. 49(1)(a))
Low
Low
Not reliable for systematic transfers
Only for occasional transfers
Contract necessity (Art. 49(1)(b))
Low
Low
Limited scope
Only when strictly necessary
Best practice: Belt and suspenders
Many sophisticated US companies implement both DPF and SCCs:
Self-certify under DPF as the primary transfer mechanism
Execute SCCs with key EU partners/processors as a fallback
Conduct Transfer Impact Assessments documenting US surveillance laws and supplementary measures
Monitor legal challenges to DPF and be ready to rely on SCCs if DPF is invalidated
Enforcement Against US Companies: Real Cases
Major enforcement actions
Company
Fine
DPA
Key Issue
Meta
€1.2 billion (2023)
Irish DPC
Illegal EU-US data transfers after Schrems II
Amazon
€746 million (2021)
Luxembourg CNPD
Behavioural advertising without adequate consent
Meta (WhatsApp)
€225 million (2021)
Irish DPC
Inadequate privacy notice
Google
€150 million (2022)
French CNIL
Cookie consent violations
Clearview AI
€20 million (2022)
Italian Garante, Greek DPA, French CNIL
Biometric data collection without legal basis
Microsoft
€60 million (2022)
French CNIL
Cookie consent on Bing
Enforcement trends affecting US companies
Transfer enforcement intensifying: Post-Schrems II, DPAs are actively investigating EU-US data transfers
Cookie and consent focus: European DPAs aggressively enforcing consent requirements on US-operated websites
Cross-border coordination: DPAs cooperating through the EDPB's consistency mechanism for large cases
SME enforcement growing: Not just tech giants — smaller US companies are receiving enforcement notices
AI-related enforcement emerging: The intersection of AI Act and GDPR is creating new enforcement vectors
Working with EU-Based Compliance Partners
Why EU-based partners matter for US companies
Achieving GDPR compliance from the US alone is challenging. EU-based compliance partners provide:
Regulatory proximity: Direct experience with DPAs and understanding of enforcement culture
Article 27 representation: Can serve as your mandatory EU representative
Less brand recognition (but equivalent regulatory standing)
DIY with templates
$5,000–$20,000 (tools only)
Cheapest
High risk — no expert oversight, compliance gaps likely
Cost breakdown: Typical US SME GDPR compliance
Component
Croatia-Based Partner
Western EU Firm
Initial gap assessment
$3,000–$8,000
$10,000–$30,000
Article 27 representative
$1,400–$3,500/year
$5,500–$16,500/year
External DPO (if needed)
$6,000–$30,000/year
$24,000–$84,000/year
Privacy notice + policy creation
$2,000–$5,000
$5,000–$15,000
Consent management setup
$1,500–$4,000
$3,000–$10,000
DSAR process implementation
$1,500–$3,500
$3,000–$8,000
Ongoing compliance advisory
$6,000–$18,000/year
$18,000–$60,000/year
Annual total (Year 1)
$21,400–$72,000
$68,500–$223,500
Frequently Asked Questions
Does GDPR apply if I only have US customers but some visit from the EU?
If a US customer travels to the EU and uses your service while there, GDPR technically applies to that processing. In practice, enforcement for this edge case is rare. However, if your website is globally accessible and you process analytics data from EU visitors, that's the more common trigger.
Do I need GDPR compliance if I use AWS/Azure with EU regions?
Using an EU-region cloud server doesn't automatically make you GDPR-compliant. You still need lawful bases, privacy notices, data subject rights processes, and potentially an EU representative. However, using EU-based infrastructure can simplify some transfer-related obligations.
Can I just block EU visitors to avoid GDPR?
Technically, if you completely block EU access and don't process any EU personal data, GDPR wouldn't apply. But implementing effective geo-blocking is harder than it sounds (VPNs, travelling users), and it means forfeiting the EU market entirely. For most companies, compliance is a better investment than avoidance.
What happens if a US company ignores GDPR?
Enforcement options include: administrative fines (up to €20M/4% of turnover), orders to cease processing EU data, public reprimand, and — increasingly — coordinated cross-border enforcement. DPAs can also pursue enforcement through international cooperation mechanisms. In practice, many US companies have been contacted by EU DPAs for violations.
Do US companies need to comply with GDPR AND state privacy laws?
Yes. GDPR compliance doesn't exempt you from CCPA/CPRA, Virginia CDPA, Colorado CPA, or other US state privacy laws. However, a comprehensive GDPR compliance programme typically covers most state law requirements, since GDPR is generally more demanding.
How does the EU AI Act affect US companies already subject to GDPR?
The EU AI Act has similar extraterritorial scope — it applies to AI providers and deployers outside the EU whose AI systems are used in the EU. US companies using AI that processes EU data face both GDPR and AI Act obligations. The AI Act also requires an EU representative (Article 22), mirroring GDPR Article 27.
Is the EU-US Data Privacy Framework reliable, given Privacy Shield was invalidated?
DPF includes stronger safeguards than Privacy Shield (notably, the Data Protection Review Court for EU individual complaints about US government surveillance). However, NOYB has signalled potential legal challenges. The pragmatic approach: certify under DPF but also implement SCCs as a backup.
What's the cheapest way to achieve GDPR compliance?
Working with an EU-based compliance partner in a cost-effective market like Croatia. You get genuine EU expertise, DPA familiarity, and bundled services (representative + DPO + advisory) at 40-60% of what Western EU firms or Big Four consultancies charge. This approach is more reliable than DIY and significantly cheaper than traditional advisory firms.
US company navigating GDPR? Vision Compliance provides comprehensive GDPR compliance services from Croatia — including Article 27 representation, DPO services, and full compliance programme management — at rates 40-60% below Western EU providers. Schedule a consultation to discuss your compliance needs.
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
