GDPR for US Companies: When It Applies and What You Must Do
GDPR applies to US companies that process EU residents' data, even without a European office. Here is what triggers it, what it requires, and the penalties.
When GDPR applies to US companies
The General Data Protection Regulation applies to any organisation, anywhere in the world, that processes the personal data of individuals in the EU. You do not need a European office, European employees, or a European entity.
If your SaaS product has EU users, GDPR applies. If your website collects cookies from EU visitors, GDPR applies. If your mobile app is available in the EU App Store, GDPR applies.
The key obligations
| Obligation | What it means | Deadline/frequency |
|---|---|---|
| Data Protection Officer (DPO) | Appoint if processing is a core activity | Ongoing |
| Data Processing Impact Assessment (DPIA) | For high-risk processing activities | Before processing begins |
| Records of Processing Activities (ROPA) | Document all data processing | Maintain continuously |
| Data breach notification | Notify supervisory authority | 72 hours from discovery |
| Data Subject Access Requests (DSAR) | Respond to individuals requesting their data | 30 days |
| Privacy policy | Clear, accessible description of data practices | Maintain continuously |
| Cookie consent | Explicit consent for non-essential cookies | Before placing cookies |
| EU representative | Appoint if no EU establishment | Ongoing |
The EU representative requirement
US companies without an EU office must appoint an EU representative under Article 27 of GDPR. This is often overlooked. The representative serves as a contact point for EU data protection authorities and must be established in an EU member state where the affected data subjects are located.
EU representative services typically cost €2,000-5,000 per year.
Penalties
GDPR penalties are famously severe:
- Tier 1: Up to €10 million or 2% of global annual turnover (whichever is higher) for administrative violations
- Tier 2: Up to €20 million or 4% of global annual turnover (whichever is higher) for substantive violations
These are not theoretical. Meta was fined €1.2 billion in 2023. Amazon was fined €746 million in 2021. Smaller companies receive smaller fines, but they are proportionally just as painful.
Cross-border data transfers
Transferring personal data from the EU to the US requires a legal mechanism:
- EU-US Data Privacy Framework (DPF): The current adequacy decision. US companies can self-certify through the Department of Commerce.
- Standard Contractual Clauses (SCCs): Contractual safeguards approved by the EU Commission.
- Binding Corporate Rules (BCRs): For intra-group transfers. Complex and expensive to implement.
The DPF is the simplest option but requires annual re-certification and compliance with the DPF principles.
Filing and reporting deadlines
GDPR compliance is not a one-time event. Ongoing obligations include:
- Annual DPF re-certification (if using the EU-US framework)
- Maintaining and updating ROPA whenever processing activities change
- Responding to DSARs within 30 days
- Reporting breaches within 72 hours
- Reviewing and updating DPIAs when processing changes
- Annual privacy policy review
How CompCal helps
CompCal tracks your GDPR-related filing deadlines alongside corporate compliance obligations. DPF re-certification, annual privacy reviews, and regulatory filing deadlines all appear in your unified compliance calendar.