One of the many frequently asked questions we receive is “which countries does GDPR apply to?” Here is the short answer…
Firstly, the GDPR applies to organisations located within all EU Member States. GDPR also applies to organisations located outside of the EU. If a company offers goods or services to, or monitors the behaviour of EU data subjects, they must comply. This means any company processing and holding personal data of EU residents, regardless of the company’s location.
Which countries does GDPR apply to outside the EU? What about US based businesses?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Article 3 of the GDPR clearly states that if you collect personal data or behavioural information from EU residents, then your company has certain GDPR compliance requirements. The GDPR applies to any organisation that holds personal data on EU residents. It does not apply only to companies with locations or employees in the EU. If you sell products or services to EU customers and store customer data of any kind, your organisation must be GDPR compliant.
Marketing activities that generate sales leads for US firms will in most cases contain personal data, or what the GDPR deems as Personally Identifiable Information (PII). Therefore, GDPR compliance still applies to any business based in the USA. In fact, most multinationals will have to comply because they often have EU citizen data and some presence in EU countries. Overseas firms could be subject to a class action lawsuit if they experience a data breach.
Despite the proliferation of GDPR around the globe, online searches for the search term which countries does GDPR apply to? still rank highly. This indicates that there is still some confusion on the part of many non-EU businesses and organisations.