GDPR, what does it mean for non-EU companies?

The General Data Protection Regulation (GDPR), implemented in the European Union (EU) in May 2018, was a significant milestone in data protection legislation. Its impact reaches far beyond EU borders, affecting any business or organization that handles the personal data of EU citizens. This article aims to explore the implications of GDPR for non-EU companies, guiding them through the necessary steps to comply with the regulation and safeguard the privacy of EU data subjects.

Understanding GDPR’s Extraterritorial Scope

The GDPR’s extraterritorial scope extends beyond the borders of the EU, meaning it applies to any company outside the EU that processes personal data of EU residents while offering goods or services or monitoring their behavior. Consequently, non-EU companies that collect, store, or use data from EU citizens must comply with the GDPR, regardless of their location.

Key Obligations for Non-EU Companies

  1. Appointing a Representative in the EU: Non-EU companies subject to the GDPR must appoint a representative within the EU. This individual or entity acts as a point of contact for EU data subjects and supervisory authorities. The representative ensures compliance with the regulation and serves as a liaison for any data protection inquiries.
  2. Consent and Lawful Basis: Obtaining valid consent from individuals is a fundamental principle of GDPR. Non-EU companies must ensure they have a clear and unambiguous method for obtaining consent from EU data subjects before processing their personal data. Additionally, they must have a lawful basis for processing the data, such as fulfilling contractual obligations or legitimate interests.
  3. Data Subject Rights: GDPR grants various rights to EU data subjects, including the right to access, rectify, erase, and restrict the processing of their data. Non-EU companies must establish procedures to respond to data subject requests promptly and efficiently, enabling individuals to exercise their rights without undue delay.
  4. Data Protection Impact Assessments (DPIAs): Non-EU companies engaged in high-risk processing activities should conduct DPIAs to assess potential risks to data subjects’ rights and freedoms. These assessments help identify and mitigate potential data protection issues before they occur.
  5. Data Breach Notifications: GDPR requires companies to notify the relevant supervisory authority within 72 hours of becoming aware of a data breach that poses a risk to data subjects’ rights and freedoms. Non-EU companies must also communicate data breaches to affected individuals without undue delay when there is a high risk to their privacy.
  6. Privacy by Design and Default: Non-EU companies must implement privacy by design and default principles, meaning data protection measures must be incorporated into their products, services, and processes from the outset.
  7. Data Transfers: If non-EU companies transfer personal data outside the EU, they must ensure the destination country offers an adequate level of data protection. Alternatively, they must rely on approved safeguards, such as Standard Contractual Clauses or Binding Corporate Rules.

Consequences of Non-Compliance

Non-EU companies that fail to comply with the GDPR could face severe consequences, including hefty fines of up to 4% of their global annual turnover or €20 million, whichever is higher. In addition to financial penalties, non-compliant companies risk reputational damage and potential legal action from data subjects or supervisory authorities.


The GDPR has revolutionized data protection and privacy standards, impacting companies worldwide. Non-EU companies processing EU citizens’ data must adhere to the regulation’s requirements to safeguard the privacy and rights of their European customers. Understanding the GDPR’s extraterritorial scope and taking proactive steps toward compliance is crucial for non-EU companies aiming to thrive in the digital age while respecting the privacy rights of EU data subjects.

Leave a Reply

Your email address will not be published. Required fields are marked *


Get in touch…

Ready to strengthen your data privacy practices and ensure compliance with the latest regulations?

  • 24/7 Support
  • Confidence that you are compliant
  • Regulatory Privacy Compliance

Ready to start your data privacy compliance journey?

Fill in your details below and we will get back to you as soon as possible


    Download E-book

      Thank you for registering!

      Your download is ready, click the button below.

      Download FREE Ebook