GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law that applies to any US company offering goods or services to people in the EU or monitoring their behaviour, regardless of where the company is headquartered, where its servers are located, or whether it has a physical European presence.
Here's a stat that should get the attention of every US company with international ambitions: thousands of GDPR fines have been issued since May 2018, totalling more than €7 billion. And it's not just European companies getting fined — US tech giants, ad-tech firms, and even mid-market SaaS companies have been hit with enforcement actions by EU data protection authorities.
Yet many American businesses still assume GDPR doesn't apply to them. "We don't have offices in Europe." "We're a US company governed by US law." "Our servers are in Virginia." None of these arguments hold up. GDPR applies to you if you offer goods or services to people in the EU or monitor their behaviour — regardless of where your company is headquartered, where your servers are located, or where your employees sit.
This guide explains exactly when GDPR applies to US companies, what you need to do to comply, how the EU-US Data Privacy Framework (DPF) works, what an Article 27 representative is and why you probably need one, and how to build a practical compliance programme through GDPR compliance services, including why many US companies are turning to EU-based compliance partners in cost-effective markets like Croatia to manage their obligations efficiently.
| Quick Reference | Details |
|---|---|
| Does GDPR apply to US companies? | Yes — if you offer goods/services to EU individuals or monitor their behaviour (Article 3(2)) |
| Key triggers | EU-language website, accepting EUR, targeting EU customers, tracking EU users, EU employees |
| Maximum fine | €20 million or 4% of global annual turnover, whichever is higher |
| EU representative required? | Yes — Article 27 requires non-EU companies to appoint an EU-based representative |
| DPO required? | If your core activities involve large-scale monitoring or processing of special category data |
| EU-US Data Privacy Framework | Self-certification mechanism for US-to-EU data transfers — operational since July 2023 |
| Key rights for EU individuals | Access, rectification, erasure, portability, objection, restriction, automated decision-making opt-out |
| Compliance cost for US SME | $15,000–$80,000/year (significantly lower with EU-based partners like Croatian providers) |
Key Takeaways
- GDPR applies to US companies that offer goods or services to EU individuals or monitor their behaviour — there is no revenue threshold, no employee count minimum, and no exemption for being a US entity
- The two triggers are (a) offering goods/services to EU data subjects (e.g., EU-language website, EUR pricing, shipping to EU) and (b) monitoring behaviour (e.g., cookies, analytics, ad targeting on EU users)
- If GDPR applies, you must appoint an EU-based representative under Article 27 — this is a legal requirement, not a recommendation, with fines of up to €10M or 2% of turnover for non-compliance
- The EU-US Data Privacy Framework (DPF) provides a legal mechanism for transferring personal data from the EU to the US, but requires self-certification through the Department of Commerce and ongoing compliance obligations
- US companies face unique challenges: no comprehensive federal privacy law means your existing compliance programmes (state laws, HIPAA, GLBA) may not cover GDPR requirements
- Enforcement against US companies is real and growing: Meta (€1.2B fine), Amazon (€746M), and many smaller companies have faced GDPR enforcement actions
- Working with EU-based compliance partners — particularly in cost-effective markets like Croatia — gives you local expertise, DPA relationships, and 40-60% lower costs than using Big Four consultancies or Western EU firms
- Start with a data mapping exercise to understand what EU personal data you process, then build your compliance programme around the findings
Table of Contents
- Does GDPR Apply to My US Company?
- How GDPR's Extraterritorial Scope Works
- GDPR Requirements for US Companies: Complete Checklist
- The EU-US Data Privacy Framework Explained
- Article 27: Why You Need an EU Representative
- Data Subject Rights: What US Companies Must Provide
- GDPR vs. US Privacy Laws: Key Differences
- Building a GDPR Compliance Programme
- International Data Transfers: EU to US
- Enforcement Against US Companies: Real Cases
- Working with EU-Based Compliance Partners
- GDPR Compliance Costs for US Companies
- Frequently Asked Questions
- Related Resources
Does GDPR Apply to My US Company?
Short answer: If you have any meaningful interaction with EU-based individuals — as customers, users, employees, or data subjects — almost certainly yes.
Long answer: GDPR Article 3(2) extends the regulation's reach beyond the EU's borders. It applies to non-EU controllers and processors when either of two conditions is met:
Trigger 1: Offering goods or services to EU data subjects
You're caught by GDPR if you offer goods or services — whether paid or free — to individuals in the EU. The EDPB has identified indicators including:
| Indicator | Example |
|---|---|
| EU languages on your website (beyond English) | German, French, Spanish, Italian, Croatian language options |
| EU currencies accepted | EUR pricing, GBP payment options |
| EU-specific domains | .eu, .de, .fr, .nl, .hr extensions |
| Shipping to EU addresses | EU delivery options in your checkout |
| References to EU customers | Marketing targeting EU markets, EU testimonials |
| EU-specific regulations mentioned | CE marking, EU sizing standards |
| EU app store availability | App specifically available/marketed in EU app stores |
Trigger 2: Monitoring the behaviour of EU data subjects
You're caught by GDPR if you monitor the behaviour of individuals in the EU:
| Activity | Applies? |
|---|---|
| Website analytics (Google Analytics, Mixpanel) tracking EU visitors | Yes |
| Cookie-based advertising targeting EU users | Yes |
| Behavioural profiling of EU individuals | Yes |
| Location tracking of EU-based app users | Yes |
| A/B testing with EU user segments | Likely yes |
| Email open tracking for EU recipients | Likely yes |
| Social media pixel tracking of EU visitors | Yes |
Quick assessment: Does GDPR apply to you?
Answer yes to any one of these questions, and GDPR likely applies:
- Do you have customers, users, or subscribers in the EU?
- Does your website accept visitors from EU countries?
- Do you use analytics or advertising technology that tracks EU users?
- Do you have employees, contractors, or partners based in the EU?
- Do you process personal data of EU individuals for any purpose?
- Do you sell products or services that are available to EU residents?
- Does your mobile app have EU users?
- Do you receive emails from EU-based individuals and store their data?
If your answer to every single question is genuinely "no," GDPR doesn't apply. For most US companies with any international presence — even an English-language website with EU visitors — at least one trigger applies.
How GDPR's Extraterritorial Scope Works
Article 3(2) is what makes GDPR truly global:
"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
Key principles for US companies
1. Citizenship doesn't matter GDPR protects anyone "who is in the Union" — not just EU citizens. A US citizen living in Berlin is protected. An Australian tourist visiting Paris is protected while in the EU.
2. Revenue doesn't matter There's no de minimis threshold. A two-person US startup with 10 EU users has the same legal obligations as a Fortune 500 company with millions of EU customers.
3. Server location doesn't matter Your data can be on AWS in Virginia. GDPR applies to the processing, not to where the servers sit.
4. "Not targeting the EU" isn't a defence If you're a US e-commerce site that happens to receive orders from EU customers, GDPR applies. The key question is whether you're offering goods or services to EU individuals, and an accessible website with international shipping qualifies.
5. Free services count "We don't charge EU users" doesn't help. Free services that process personal data (analytics, advertising, social media) are covered.
GDPR Requirements for US Companies: Complete Checklist
Foundational requirements
| Requirement | GDPR Article | Priority |
|---|---|---|
| Appoint an EU representative | Article 27 | Critical — legally required |
| Appoint a DPO (if applicable) | Articles 37-39 | High — if criteria are met |
| Lawful basis for processing | Article 6 | Critical — must have a legal basis for every processing activity |
| Consent management | Articles 6-7 | High — for marketing, cookies, non-essential processing |
| Privacy notice | Articles 13-14 | Critical — must inform EU data subjects |
| Records of processing activities | Article 30 | High — maintain ROPA |
| Data protection by design | Article 25 | High — embed privacy into product development |
| Data processing agreements | Article 28 | High — for all processors handling EU data |
| International transfer mechanisms | Articles 44-49 | Critical — for EU-to-US data flows |
| Data breach notification | Articles 33-34 | Critical — 72-hour notification to DPA |
| Data subject rights processes | Articles 15-22 | High — must be able to respond within 30 days |
| DPIA for high-risk processing | Article 35 | High — for profiling, large-scale processing, new technologies |
Step-by-step compliance path
Step 1: Data mapping (Weeks 1-3) Identify all EU personal data you process: what data, whose data, why you have it, where it flows, who has access.
Step 2: Legal basis assessment (Weeks 2-4) For each processing activity, determine the lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interest.
Step 3: Appoint EU representative (Weeks 2-4) Engage an Article 27 representative in an EU member state. Croatia offers cost-effective representation with full EU regulatory standing.
Step 4: Update privacy notices (Weeks 3-5) Create GDPR-compliant privacy notices covering all required information elements from Articles 13-14.
Step 5: Implement consent management (Weeks 4-6) Deploy cookie consent management, marketing opt-in mechanisms, and consent record-keeping.
Step 6: Establish data subject rights processes (Weeks 4-6) Build processes to handle access, erasure, portability, and other rights requests within the 30-day GDPR deadline.
Step 7: Implement transfer mechanisms (Weeks 5-8) Self-certify under the EU-US DPF and/or implement Standard Contractual Clauses for data transfers.
Step 8: Create breach notification procedures (Weeks 6-8) Establish processes to detect, assess, and notify breaches within 72 hours.
Step 9: Conduct DPIAs (Weeks 6-10) Perform Data Protection Impact Assessments for high-risk processing activities.
Step 10: Ongoing compliance (Continuous) Regular reviews, training, policy updates, regulatory monitoring.
The EU-US Data Privacy Framework Explained
The EU-US Data Privacy Framework (DPF) is the current mechanism enabling personal data transfers from the EU to certified US organisations. It replaced the invalidated Privacy Shield (struck down in Schrems II, July 2020) and became operational on 10 July 2023 following the European Commission's adequacy decision.
How DPF works
| Step | Details |
|---|---|
| 1. Self-certify | Register with the Department of Commerce's DPF programme |
| 2. Commit to principles | Agree to DPF principles: notice, choice, accountability, security, data integrity, access, recourse |
| 3. Identify data types | Specify whether you process HR data, non-HR data, or both |
| 4. Annual re-certification | Renew certification annually with DoC |
| 5. Ongoing compliance | Maintain privacy policies, dispute resolution, cooperation with DPAs |
DPF requirements for US companies
| Requirement | Details |
|---|---|
| Privacy policy | Must comply with DPF principles and be publicly available |
| Independent dispute resolution | Must designate an independent body for EU individual complaints |
| Cooperation with DPAs | Must cooperate with EU DPAs on HR data complaints |
| Accountability for onward transfers | Contractual obligations when sharing data with third parties |
| FTC/DoT enforcement | Subject to FTC or DoT enforcement for DPF violations |
| Annual re-certification | Must re-certify annually or face removal from the DPF list |
DPF limitations and risks
| Risk | Consideration |
|---|---|
| Legal challenge | NOYB and other privacy organisations may challenge DPF (as they did with Safe Harbor and Privacy Shield) |
| Not comprehensive | DPF only covers transfers to certified US organisations — not all US entities |
| Sector limitations | Only organisations subject to FTC or DoT jurisdiction can self-certify |
| Ongoing obligations | Failure to maintain compliance can result in FTC enforcement actions |
| Belt and suspenders | Many companies implement DPF and SCCs as a backup |
Alternative transfer mechanisms
If DPF doesn't work for your situation:
| Mechanism | Use Case |
|---|---|
| Standard Contractual Clauses (SCCs) | Most common alternative; requires Transfer Impact Assessment |
| Binding Corporate Rules (BCRs) | Intra-group transfers in multinational companies |
| Derogations (Article 49) | Limited exceptions: explicit consent, contract necessity, public interest |
Article 27: Why You Need an EU Representative
If GDPR applies to your US company under Article 3(2), you are required by Article 27 to designate a representative physically established in the EU. This is one of the most overlooked obligations for US companies — without a representative, DPAs have no one to contact in the EU, business partners may refuse to work with you, and it is an independently fineable violation (up to EUR 10M or 2% of turnover).
For a full breakdown of representative duties, how to choose a location, cost benchmarks, and common mistakes, see our dedicated guide: GDPR Representative (Article 27): Complete Guide.
Data Subject Rights: What US Companies Must Provide
EU data subjects have extensive rights that US companies must honour:
| Right | What It Means | Deadline | US Equivalent |
|---|---|---|---|
| Right of access (Art. 15) | Individuals can request a copy of all their personal data and information about how it's processed | 30 days | Limited (CCPA has similar) |
| Right to rectification (Art. 16) | Correct inaccurate personal data | 30 days | Limited |
| Right to erasure (Art. 17) | "Right to be forgotten" — delete personal data when no longer necessary | 30 days | CCPA has similar |
| Right to restrict (Art. 18) | Limit how you process their data | 30 days | No US equivalent |
| Right to portability (Art. 20) | Receive their data in a machine-readable format | 30 days | No broad US equivalent |
| Right to object (Art. 21) | Object to processing based on legitimate interest or for direct marketing | Without undue delay | Limited (CAN-SPAM for marketing) |
| Automated decision-making (Art. 22) | Not be subject to solely automated decisions with legal effects | 30 days | No US equivalent |
GDPR vs. US Privacy Laws: Key Differences
| Dimension | GDPR | US Privacy Laws |
|---|---|---|
| Scope | Comprehensive — covers all personal data processing | Sectoral — HIPAA (health), GLBA (financial), COPPA (children), state laws (CCPA/CPRA) |
| Consent | Opt-in required for most non-essential processing | Mostly opt-out (except COPPA) |
| Data subject rights | Extensive (access, erasure, portability, objection, restriction) | Varies by law — CCPA most comprehensive |
| Breach notification | 72 hours to DPA | Varies by state (typically 30-90 days) |
| Fines | Up to €20M or 4% of global turnover | Varies — FTC consent orders, state AG actions, sector-specific penalties |
| Enforcement | Independent DPAs in each EU member state | FTC, state AGs, sector regulators |
| Legal basis required | Yes — must identify legal basis for each processing activity | Generally no (except for regulated sectors) |
| DPO/privacy officer | Mandatory in certain cases | Voluntary (except in some regulated sectors) |
| International transfers | Strict requirements (adequacy, SCCs, DPF) | Generally unrestricted |
| Privacy by design | Legal requirement (Article 25) | Best practice, not legally mandated |
Key implication for US companies
Your existing US privacy compliance (CCPA/CPRA, HIPAA, state laws) does not automatically satisfy GDPR. You need a separate, dedicated GDPR compliance programme. If you also serve the UK market post-Brexit, note that the UK GDPR diverges in several important ways — see our GDPR vs UK GDPR guide for the key differences. Companies with mature US privacy programmes have a head start — the concepts are similar even if the requirements differ.
Building a GDPR Compliance Programme
Phase 1: Assessment (Months 1-2)
| Activity | Deliverable |
|---|---|
| Data mapping | Complete inventory of EU personal data processing |
| Legal basis analysis | Legal basis assigned to each processing activity |
| Gap assessment | Compliance gaps identified and prioritised |
| Risk assessment | Risk register with impact and likelihood ratings |
| Vendor inventory | List of all processors handling EU data with their locations |
Phase 2: Implementation (Months 2-4)
| Activity | Deliverable |
|---|---|
| Privacy notices | GDPR-compliant notices for all touchpoints |
| Consent management | Cookie consent, marketing consent, consent records |
| Data subject rights processes | Documented procedures with 30-day SLAs |
| Data processing agreements | Article 28-compliant DPAs with all processors |
| Transfer mechanisms | DPF certification and/or SCCs in place |
| Breach response plan | 72-hour notification procedures |
| EU representative | Appointed and listed in privacy notice |
| DPO (if required) | Designated and registered with DPA |
Phase 3: Operationalisation (Months 4-6)
| Activity | Deliverable |
|---|---|
| Employee training | GDPR awareness training for all staff handling EU data |
| Privacy by design processes | Privacy review integrated into product development |
| DPIA framework | Process for conducting DPIAs on high-risk processing |
| ROPA maintenance | Ongoing records of processing activities |
| Vendor management | Due diligence process for new processors |
Phase 4: Ongoing compliance (Continuous)
| Activity | Frequency |
|---|---|
| Regulatory monitoring | Continuous |
| Privacy notice updates | As processing changes |
| Annual compliance review | Annually |
| Training refresh | Annually |
| DPF re-certification | Annually |
| DPIA reviews | When processing changes materially |
International Data Transfers: EU to US
For US companies, the data transfer question is paramount. Every time EU personal data flows to your US servers, you need a legal transfer mechanism. Understanding data sovereignty requirements in the EU is essential context for these decisions.
Transfer mechanism comparison
| Mechanism | Cost | Complexity | Reliability | Recommended? |
|---|---|---|---|---|
| EU-US DPF | Low ($0 filing) | Moderate | Subject to legal challenge | Yes, as primary mechanism |
| SCCs (2021 version) | Moderate | High (TIA required) | Well-established | Yes, as backup or alternative |
| Binding Corporate Rules | High ($50K-$200K+) | Very high (DPA approval required) | Very reliable once approved | Only for large multinationals |
| Consent (Art. 49(1)(a)) | Low | Low | Not reliable for systematic transfers | Only for occasional transfers |
| Contract necessity (Art. 49(1)(b)) | Low | Low | Limited scope | Only when strictly necessary |
Best practice: Belt and suspenders
Many sophisticated US companies implement both DPF and SCCs:
- Self-certify under DPF as the primary transfer mechanism
- Execute SCCs with key EU partners/processors as a fallback
- Conduct Transfer Impact Assessments documenting US surveillance laws and supplementary measures
- Monitor legal challenges to DPF and be ready to rely on SCCs if DPF is invalidated
Enforcement Against US Companies: Real Cases
Major enforcement actions
| Company | Fine | DPA | Key Issue |
|---|---|---|---|
| Meta | €1.2 billion (2023) | Irish DPC | Illegal EU-US data transfers after Schrems II |
| Amazon | €746 million (2021) | Luxembourg CNPD | Behavioural advertising without adequate consent |
| Meta (WhatsApp) | €225 million (2021) | Irish DPC | Inadequate privacy notice |
| €150 million (2022) | French CNIL | Cookie consent violations | |
| Clearview AI | €20 million (2022) | Italian Garante, Greek DPA, French CNIL | Biometric data collection without legal basis |
| Microsoft | €60 million (2022) | French CNIL | Cookie consent on Bing |
Enforcement trends affecting US companies
- Transfer enforcement intensifying: Post-Schrems II, DPAs are actively investigating EU-US data transfers
- Cookie and consent focus: European DPAs aggressively enforcing consent requirements on US-operated websites
- Cross-border coordination: DPAs cooperating through the EDPB's consistency mechanism for large cases
- SME enforcement growing: Not just tech giants — smaller US companies are receiving enforcement notices
- AI-related enforcement emerging: The intersection of AI Act and GDPR is creating new enforcement vectors
Working with EU-Based Compliance Partners
Why EU-based partners matter for US companies
Achieving GDPR compliance from the US alone is challenging. EU-based compliance partners provide:
- Regulatory proximity: Direct experience with DPAs and understanding of enforcement culture
- Article 27 representation: Can serve as your mandatory EU representative
- DPO services: External DPO meets GDPR's expertise requirement with EU-based credentials
- Local knowledge: Understanding of national implementing laws across EU member states
- Timezone coverage: Handle DPA inquiries and data subject requests during EU business hours
- Language capability: Communicate with DPAs in their official languages
Why Croatia for US companies
Croatia has emerged as a strategic choice for US companies seeking EU compliance support:
Cost advantage
- Compliance consulting: $80–$180/hour (vs. $300–$600 at Big Four or Western EU firms)
- Article 27 representative: €1,200–€3,000/year (vs. €5,000–€15,000 in Ireland/Germany)
- DPO as a Service: €500–€2,500/month (vs. €2,000–€7,000 in Western EU)
- Bundled services (representative + DPO + compliance advisory): €10,000–€20,000/year
Quality parity
- Same certifications (CIPP/E, CIPM, ISO 27001 Lead Auditor)
- Same regulatory framework (GDPR, NIS2, DORA apply identically)
- Professionals with cross-border EU experience
- Strong English proficiency
Practical advantages
- CET timezone: 6 hours ahead of US East Coast — afternoon meetings work for both sides
- Eurozone: invoicing in EUR, no currency complexity
- EU/Schengen: seamless coordination with any other EU member state
- AZOP (Croatian DPA): well-organised, accessible supervisory authority
GDPR Compliance Costs for US Companies
DIY vs. partnered compliance
| Approach | Annual Cost | Pros | Cons |
|---|---|---|---|
| Internal team only | $150,000–$400,000 (salaries + tools) | Full control, deep knowledge | Expensive, slow to build, may lack EU expertise |
| Big Four / major law firm | $100,000–$500,000+ | Brand recognition, comprehensive | Very expensive, may over-engineer |
| Western EU compliance firm | $50,000–$150,000 | EU expertise, DPA relationships | Mid-range cost |
| Croatia-based compliance partner | $15,000–$80,000 | EU expertise, cost-effective, bundled services | Less brand recognition (but equivalent regulatory standing) |
| DIY with templates | $5,000–$20,000 (tools only) | Cheapest | High risk — no expert oversight, compliance gaps likely |
Cost breakdown: Typical US SME GDPR compliance
| Component | Croatia-Based Partner | Western EU Firm |
|---|---|---|
| Initial gap assessment | $3,000–$8,000 | $10,000–$30,000 |
| Article 27 representative | $1,400–$3,500/year | $5,500–$16,500/year |
| External DPO (if needed) | $6,000–$30,000/year | $24,000–$84,000/year |
| Privacy notice + policy creation | $2,000–$5,000 | $5,000–$15,000 |
| Consent management setup | $1,500–$4,000 | $3,000–$10,000 |
| DSAR process implementation | $1,500–$3,500 | $3,000–$8,000 |
| Ongoing compliance advisory | $6,000–$18,000/year | $18,000–$60,000/year |
| Annual total (Year 1) | $21,400–$72,000 | $68,500–$223,500 |
Frequently Asked Questions
Does GDPR apply if I only have US customers but some visit from the EU?
If a US customer travels to the EU and uses your service while there, GDPR technically applies to that processing. In practice, enforcement for this edge case is rare. However, if your website is globally accessible and you process analytics data from EU visitors, that's the more common trigger.
Do I need GDPR compliance if I use AWS/Azure with EU regions?
Using an EU-region cloud server doesn't automatically make you GDPR-compliant. You still need lawful bases, privacy notices, data subject rights processes, and potentially an EU representative. However, using EU-based infrastructure can simplify some transfer-related obligations.
Can I just block EU visitors to avoid GDPR?
Technically, if you completely block EU access and don't process any EU personal data, GDPR wouldn't apply. But implementing effective geo-blocking is harder than it sounds (VPNs, travelling users), and it means forfeiting the EU market entirely. For most companies, compliance is a better investment than avoidance.
What happens if a US company ignores GDPR?
Enforcement options include: administrative fines (up to €20M/4% of turnover), orders to cease processing EU data, public reprimand, and — increasingly — coordinated cross-border enforcement. DPAs can also pursue enforcement through international cooperation mechanisms. In practice, many US companies have been contacted by EU DPAs for violations.
Do US companies need to comply with GDPR AND state privacy laws?
Yes. GDPR compliance doesn't exempt you from CCPA/CPRA, Virginia CDPA, Colorado CPA, or other US state privacy laws. However, a comprehensive GDPR compliance programme typically covers most state law requirements, since GDPR is generally more demanding.
How does the EU AI Act affect US companies already subject to GDPR?
The EU AI Act has similar extraterritorial scope — it applies to AI providers and deployers outside the EU whose AI systems are used in the EU. US companies using AI that processes EU data face both GDPR and AI Act obligations. The AI Act also requires an EU representative (Article 22), mirroring GDPR Article 27.
Is the EU-US Data Privacy Framework reliable, given Privacy Shield was invalidated?
DPF includes stronger safeguards than Privacy Shield (notably, the Data Protection Review Court for EU individual complaints about US government surveillance). However, NOYB has signalled potential legal challenges. The pragmatic approach: certify under DPF but also implement SCCs as a backup.
What's the cheapest way to achieve GDPR compliance?
Working with an EU-based compliance partner in a cost-effective market like Croatia. You get genuine EU expertise, DPA familiarity, and bundled services (representative + DPO + advisory) at 40-60% of what Western EU firms or Big Four consultancies charge. This approach is more reliable than DIY and significantly cheaper than traditional advisory firms.
Related Resources
- GDPR Compliance Guide: Everything You Need to Know
- GDPR Representative (Article 27): Complete Guide for Non-EU Companies
- Standard Contractual Clauses (SCCs): Complete Guide to EU Data Transfers
- DPO as a Service: Complete Guide to Outsourced Data Protection Officers
- Privacy Impact Assessment Guide: GDPR DPIA Requirements
Related Articles
- GDPR Compliance: The Complete Guide for Organisations in 2026 — Full guide to GDPR obligations and compliance
- GDPR Representative (Article 27) Guide — Appointing an EU representative for non-EU companies
- Standard Contractual Clauses (SCCs) Guide — GDPR-compliant international data transfers explained
US company navigating GDPR? Vision Compliance provides comprehensive GDPR compliance services from Croatia — including Article 27 representation, DPO services, and full compliance programme management — at rates 40-60% below Western EU providers. Schedule a consultation to discuss your compliance needs.
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.