GDPR for International Companies — What Non-EU Founders Must Know

Target keyword: GDPR non-EU company international Category: Tax & Compliance TLDR: If you have EU customers, website visitors, or employees, GDPR applies to you — regardless of where your company is incorporated. Here's what non-EU founders actually need to do.

GDPR Applies to You Even If You're Not in the EU

This is the most important and most misunderstood aspect of GDPR:

The GDPR's territorial scope (Article 3) applies to: 1. Any organisation established in the EU — regardless of where data is processed 2. Any organisation outside the EU that offers goods or services to EU individuals 3. Any organisation outside the EU that monitors EU individuals' behaviour

Practical implication: If you have a website that EU residents visit, accept EU customers, or send marketing emails to EU people — GDPR applies to you. Your company being in Wyoming, Georgia, or Singapore is irrelevant.

The GDPR Fundamentals

The 6 Lawful Bases for Processing You must have a lawful basis for processing every piece of personal data: 1. **Consent** — freely given, specific, informed, and unambiguous 2. **Contract** — necessary for a contract with the individual 3. **Legal obligation** — required by law 4. **Vital interests** — to protect life 5. **Public task** — official authority 6. **Legitimate interests** — your interests don't override individual rights

For most businesses: consent (marketing) and contract (customer data) cover most processing.

Key Rights of EU Individuals - **Right of access** — can ask what data you hold about them - **Right to erasure** ("right to be forgotten") — can ask you to delete their data - **Right to portability** — can ask for their data in a portable format - **Right to object** — can object to processing (especially direct marketing) - **Right to rectification** — can ask you to correct inaccurate data

Data Breach Notification If you have a data breach that risks individuals' rights: - Notify the relevant supervisory authority within **72 hours** - Notify affected individuals if the breach is high-risk - Document all breaches (even those not reported)

The EU Representative Requirement

• If your company is outside the EU but processes EU personal data (under Article 3(2)):
• You must appoint an EU representative in writing
• The representative acts as the contact point for supervisory authorities and data subjects
• Must be established in an EU member state where your customers are

EU representative services: €200–€1,000/year (many GDPR consultancies offer this)

The UK GDPR

• Post-Brexit, the UK has its own version of GDPR ("UK GDPR") — essentially the same rules. If you have UK customers, UK GDPR applies:
• UK ICO (Information Commissioner's Office) is the supervisory authority
• You may also need a UK representative if outside the UK

GDPR Compliance Checklist for International Businesses

✅ Privacy policy on your website (written in plain language) ✅ Cookie consent banner (for non-essential cookies) ✅ Record of Processing Activities (ROPA) — internal document listing what you process, why, where ✅ Data Processing Agreements (DPAs) with processors (Mailchimp, Stripe, AWS, etc.) ✅ EU representative appointed (if applicable) ✅ Data subject rights process — can you respond to access, deletion, or portability requests? ✅ Breach notification procedure ✅ Data protection by design — building privacy into new products ✅ Staff training (basic awareness at minimum)

Penalties for Non-Compliance

• GDPR fines come in two tiers:
• Tier 1: Up to €10M or 2% of global annual turnover (whichever higher) — for administrative violations
• Tier 2: Up to €20M or 4% of global annual turnover — for core violations (unlawful processing, consent violations, data subject rights)

Small businesses are rarely fined at the maximum, but enforcement actions — including formal warnings, reprimands, and smaller fines — do occur across all business sizes.