The EU's General Data Protection Regulation does not stop at Europe's borders. If your business is based outside the EU but sells goods or services to people in Europe, GDPR may apply to you in full — even if you have no office, staff or servers anywhere in the bloc. The hard part for foreign companies is usually recognising that they are caught at all, and then understanding what compliance actually looks like in practice.
Whether you run an online store, a software platform, a marketing agency or a subscription service, the moment you deliberately reach customers in the EU you may take on a set of legal obligations that are unfamiliar and strictly enforced. Rules and figures change over time, so treat this as general background rather than advice on your own situation.
Does GDPR apply to my business?
GDPR can reach a business established outside the EU in two main ways, and you only need one of them to be caught. The first is where you offer goods or services to people located in the EU, whether or not you charge them. The second is where you monitor the behaviour of people in the EU, for example through tracking, profiling or analytics tied to their online activity.
Merely having a website that Europeans can reach is not enough on its own. What matters is whether you are deliberately targeting the EU market. Indicators that you are include:
- Offering your prices in euros or another EU currency.
- Providing your site or content in an EU language not used in your home country.
- Mentioning EU customers, shipping to EU countries or using an EU top-level domain.
- Running marketing or advertising aimed at people in specific EU member states.
If any of this describes your business, assume GDPR is in scope and treat the personal data of your EU customers accordingly. The location of the person whose data you process is what counts — not their nationality, and not where your company happens to be incorporated.
The core obligations you take on
GDPR is built on a set of principles that apply to everything you do with personal data: you must have a lawful basis to process it, use it only for clear and limited purposes, keep it accurate, hold no more than you need, retain it no longer than necessary, and keep it secure. These principles sound abstract, but they translate into concrete duties.
- A lawful basis for every activity, such as consent, performance of a contract, or a legitimate interest you can document.
- Clear privacy information telling people who you are, what data you collect, why, how long you keep it and who you share it with.
- Valid consent where you rely on it — freely given, specific and as easy to withdraw as it was to give, which matters especially for marketing and many cookies.
- Honouring individual rights, including access, correction, deletion, portability and objection, usually within a set time limit.
- Appropriate security measures and a process for handling personal data breaches, including notifying regulators and affected people where required.
You are also expected to keep records of your processing activities and, for higher-risk processing, to carry out a data protection impact assessment before you start. Where your core activities involve large-scale or sensitive processing, you may need to appoint a data protection officer.
Appointing an EU representative
One requirement catches many foreign businesses by surprise. If GDPR applies to you and you have no establishment in the EU, you generally must designate an EU representative in writing — a person or company based in a member state where some of your affected customers are located. This representative acts as a local point of contact for individuals and for data protection authorities, and their details must appear in your privacy notice.
There are limited exemptions, for instance where your processing is only occasional and low-risk, but they are narrower than people assume. Appointing a representative does not remove your own legal responsibility — you remain fully liable — but failing to appoint one when required is itself a breach that regulators can act on.
Transferring data out of the EU
For a non-EU business, sending personal data from Europe to your home country is a transfer that GDPR regulates carefully. You cannot simply move the data wherever you like. If your country has been formally recognised by the EU as offering an adequate level of protection, transfers can flow more freely. If it has not, you generally need an approved safeguard in place before any data leaves the EU.
- Standard contractual clauses, the most common tool, are EU-approved model contract terms that bind the parties to protect the data.
- Binding corporate rules, for transfers within a group of companies, subject to regulator approval.
- A limited set of specific exceptions for occasional transfers, which should not be relied on as a routine solution.
Increasingly you are also expected to assess the laws of the destination country and add extra technical or organisational measures where local rules could undermine the protection the data is supposed to have. This is a technical area that shifts as new decisions and frameworks emerge, so confirm the current position before designing your data flows.
What happens if you get it wrong
GDPR is taken seriously because the consequences are real. Supervisory authorities in each member state can investigate, order you to change or stop your processing, and impose significant administrative fines calculated by reference to your worldwide turnover, with the higher tier reserved for the most serious breaches. Individuals can also bring claims for compensation, and consumer or privacy groups increasingly act on their behalf.
Beyond fines, the practical fallout matters: reputational damage, loss of customer trust, and the cost of rebuilding systems under regulatory supervision. For a foreign company, an enforcement action in the EU can also disrupt relationships with the European payment providers, platforms and partners you depend on to reach the market in the first place.
Practical first steps
If you suspect GDPR applies to you, a structured approach is far less daunting than reacting to a complaint after the fact. The aim is to know what data you hold, why you hold it, and whether each step in your handling of it can be justified.
- Map your data. Work out what personal data you collect from people in the EU, where it comes from, where it goes and who can see it.
- Check your legal basis for each activity, and tighten your consent and marketing practices where you rely on them.
- Publish a clear privacy notice and put a simple process in place for handling individual rights requests and breaches.
- Sort out the cross-border pieces — your EU representative, if required, and a valid transfer mechanism for data leaving the EU.
Because GDPR interacts with the separate national laws of individual member states, and with rules on cookies and electronic marketing, the right answer often depends on exactly which countries you serve and how.
Getting it right
GDPR gives Europeans strong, enforceable rights over their personal data, and those rights follow them to whoever processes their information — including a business on the other side of the world. The principles are stable, but the detail, the thresholds and the transfer rules shift over time, and the penalties for getting it wrong can be severe. Because so much turns on how you target the EU market, what data you handle and where it flows, the safest step when something important is at stake is to speak with a qualified data protection lawyer who can review your situation and confirm the current rules before you decide how to proceed.