Who Needs GDPR Compliance? Understanding Applicability

Key Takeaways

Point	Summary
3 triggers	EU establishment, offering goods/services to EU, monitoring EU individuals
Location doesn't matter	US company with EU users must comply
Targeting indicators	EU languages, Euro pricing, EU shipping, EU marketing
Monitoring includes	Website analytics, cookies, behavioral tracking on EU visitors
EU representative	Non-EU companies must designate an EU representative (Article 27)
Exemptions are rare	Only truly domestic businesses with zero EU reach are exempt

Quick Answer: GDPR applies if you: (1) have EU operations, (2) offer goods/services to EU residents, or (3) monitor EU individuals' behavior. Your company location doesn't matter - if you have EU users, GDPR applies.

Three Triggers for GDPR Applicability

GDPR generally applies to organizations meeting any of these criteria:

1. EU Establishment
Organizations with physical presence in an EU/EEA country—including branch offices, subsidiaries, or remote employees—typically fall within scope.

2. Offering Goods or Services to EU Residents
Indicators include websites available in EU languages, prices displayed in Euros, shipping options to EU countries, or marketing targeted at EU audiences.

3. Monitoring EU Individuals' Behavior
This includes tracking website visitors from the EU, using cookies or analytics on EU users, or behavioral profiling of EU residents.

Detailed Applicability Scenarios

Scenario 1: You Have EU Operations

If your startup has any physical presence in the EU, GDPR automatically applies.

EU Presence	GDPR Applies
Headquarters in EU	Yes
Branch office in EU	Yes
Remote employees in EU	Yes
Registered entity in EU	Yes
Using EU data center only	Depends on other factors

Scenario 2: You Offer Services to EU Residents

Even without EU presence, targeting EU customers triggers GDPR:

Indicators of targeting EU:

• Website available in EU languages (French, German, Spanish, etc.)
• Prices displayed in Euros (€)
• Shipping options to EU countries
• EU-specific payment methods
• Marketing campaigns targeting EU audiences
• Country selection including EU nations
• References to EU customers or users

Scenario 3: You Monitor EU Behavior

If you track or profile EU individuals online, GDPR applies:

Monitoring Activity	GDPR Applies
Google Analytics on EU visitors	Yes
Cookies tracking EU users	Yes
Behavioral advertising to EU	Yes
A/B testing with EU users	Yes
Heat maps/session recording	Yes
Retargeting EU visitors	Yes

Does Company Size Matter?

GDPR applies regardless of company size, though some reduced documentation requirements exist for smaller organizations.

Core Requirements (All Organizations)

• Lawful basis for processing
• Privacy policy and transparency
• Data subject rights fulfillment
• Security measures
• Breach notification

Reduced Documentation Requirements (<250 Employees)

Organizations with fewer than 250 employees may have reduced Record of Processing Activities (ROPA) requirements unless they:

• Process data that risks individual rights and freedoms
• Process data more than occasionally
• Process special category data (health, race, religion, etc.)
• Process criminal conviction data

In practice: Most growing companies still maintain full documentation. SaaS businesses, marketing operations, and any organization with a user database typically process data regularly enough that the reduced requirements don't apply.

Industry-Specific Applicability

Industry	Typical GDPR Triggers
SaaS	User accounts, analytics, cookies
E-commerce	Customer orders, payment data, shipping addresses
Marketing Tech	Tracking pixels, email lists, behavioral data
Healthcare	Patient data (special category)
HR Tech	Employee data, recruitment data
Fintech	Financial data, identity verification
EdTech	Student data, potentially children's data

The B2B Question

A common question from B2B companies: "We only sell to businesses, not consumers. Does GDPR apply?"

The answer is generally yes. GDPR protects individuals rather than distinguishing between consumer and business contexts:

• Business email addresses (john.smith@company.com) qualify as personal data
• B2B contact databases contain personal data
• Employee information of your clients is personal data
• Individual contractors and freelancers are protected

Geographic Considerations

UK After Brexit

The UK has its own UK GDPR which mirrors EU GDPR with minor differences:

Aspect	EU GDPR	UK GDPR
Age of Consent	16 years	13 years
Supervisory Authority	National DPAs	ICO
Transfers	UK is "adequate"	EU is "adequate"

Note on UK Adequacy: The EU granted the UK an adequacy decision in June 2021 (Commission Implementing Decision (EU) 2021/1772), but it includes a sunset clause requiring periodic review. The initial adequacy period was set for four years, with the European Commission assessing whether the UK continues to provide adequate protection. Organizations transferring data between the EU and UK should monitor for updates on renewal or any changes to adequacy status. Additionally, this recognition is asymmetric—the UK separately and unilaterally recognizes EU adequacy for transfers in the other direction.

Practical impact: If you serve both UK and EU, comply with both frameworks (very similar requirements).

US Companies

US-based startups must comply with GDPR if they:

• Have EU customers or users
• Market to EU audiences
• Use analytics tracking EU visitors
• Process EU employee data

EU Representative Requirement (Article 27)

Non-EU organizations subject to GDPR face an additional obligation: designating a representative within the EU.

Who Needs an EU Representative?

Under Article 27, controllers or processors not established in the EU but subject to GDPR must appoint a representative in an EU Member State where their data subjects are located. This representative serves as a local contact point for supervisory authorities and data subjects.

Organization Type	EU Representative Required?
US company with EU customers	Yes
Canadian SaaS serving EU users	Yes
UK company post-Brexit serving EU	Yes
Company with EU subsidiary	No (already established in EU)

Exceptions to the Requirement

A representative is not required if:

• Processing is occasional and doesn't include large-scale processing of special category data or criminal conviction data, and is unlikely to result in risk to individuals' rights and freedoms
• The organization is a public authority or body

Important: "Occasional processing" is narrowly interpreted. Regular operations like maintaining a customer database, sending marketing emails, or running website analytics typically don't qualify as occasional.

Practical Implications for Startups

For non-EU startups, the EU representative requirement means:

1. Identify where your EU data subjects are located - Your representative should be in one of those Member States
2. Budget for representative services - Third-party representative services are available, typically costing €2,000-10,000+ annually depending on scope
3. Include representative details in your privacy policy - GDPR requires you to disclose your representative's contact information
4. Understand liability implications - The representative can be subject to enforcement proceedings on behalf of the controller/processor

Representative Responsibility	Description
Contact point for DPAs	Receives communications from supervisory authorities
Contact point for data subjects	Handles inquiries about rights requests
Maintains processing records	Keeps copy of records of processing activities
Cooperation with authorities	Assists with investigations when required

Self-Assessment Checklist

Use this checklist to determine if GDPR applies:

Business Operations

• Do you have offices, employees, or contractors in the EU?
• Is your company registered in an EU country?
• Do you have servers or data centers in the EU?

Customer/User Base

• Do you have customers in EU countries?
• Can EU residents sign up for your service?
• Do you ship products to the EU?
• Is your website accessible from the EU?

Marketing and Sales

• Is your website available in EU languages?
• Do you display prices in Euros?
• Do you run marketing campaigns targeting EU?
• Do you have EU contacts in your CRM?

Technology

• Do you use analytics that track EU visitors?
• Does your website use cookies?
• Do you use retargeting/remarketing?
• Do you collect any data from EU visitors?

If you answered "Yes" to any question, GDPR likely applies to your startup.

When Applicability Is Uncertain

For organizations where GDPR applicability isn't immediately clear, erring on the side of compliance often makes sense. The cost of building proper data protection practices is typically far less than:

• Potential regulatory penalties (up to €20M or 4% of global revenue)
• Reputational damage from non-compliance
• Lost business opportunities with customers who require GDPR compliance from their vendors

Planning for Future Applicability

Even if GDPR doesn't clearly apply today, organizations often benefit from considering compliance early if they plan to:

• Expand to EU markets
• Hire employees in EU countries
• Accept EU customers
• Raise funding from EU investors

Building privacy considerations into your operations from the start tends to be significantly easier than retrofitting compliance requirements later.

How Bastion Helps

Determining GDPR applicability and planning the right compliance approach requires understanding both the regulation and your specific business context. Our team helps organizations navigate these questions efficiently.

Service	How We Help
Applicability Assessment	Expert review of your specific situation and data flows
Gap Analysis	Clear identification of what's needed for compliance
Roadmap Development	Prioritized plan with realistic milestones
Ongoing Support	Help staying compliant as your business and regulations evolve

Working with experienced partners brings additional expertise to handle the complexity, helping ensure your compliance approach is thorough and appropriate for your situation.

---

Questions about your GDPR obligations? Talk to our team →