The General Data Protection Regulation (GDPR) is a legal framework that governs how personal data of users in the region should be collected, processed, and transferred. This means that the GDPR applies to all companies regardless of location and industry, so long as they target users from the European Union (EU). In short, the regulation was enacted and approved by the European Parliament and Council of the European Union in 2018 to hold businesses responsible for how they handle personal information.
Traversing the complex and ever-evolving nature of the GDPR is no easy task. If your organization has any of these questions in mind — who does the GDPR apply to, what sort of actions will make a business fall within the GDPR scope, or whether your organization is even subject to GDPR — you’ve come to the right place. Read on to find out more about the territorial and geographical scope of the GDPR and determine whether your business falls under GDPR jurisdiction.
The GDPR explicitly states that any entity collecting or processing personal data from EU residents must ensure compliance with the legislative framework. Its territorial reach is extensive, covering a wide range of organizations, including businesses, governmental agencies, non-profits, and even individuals who may process personal data during their work. Below we list some specific activities that can trigger GDPR applicability, independent of their physical location.
Thanks to the internet, geographic location is a non-issue when it comes to the GDPR. If your business is offering goods or services to EU citizens, you are required to comply with the regulation due to its extraterritorial scope. Let’s say your business sells clothes and you are physically based in the US. Though you may not have a store in the EU, you have customers buying your products from France or Germany. This means that you cater to EU residents, rendering it obligatory for your business to adhere to the GDPR requirements.
Utilizing web tools to track cookies or IP addresses of visitors from EU countries brings your organization within the scope of GDPR regulations. The interpretation and enforcement of this law are yet to be fully determined but a compelling example would be if your company were to create an application tailored for users within the EU region. Newly registered users are usually required to provide personal information such as their name, email address, and additional details, thereby implicating your responsibility for data collection. An instance where this regulation becomes ambiguous is if you have a restaurant that is located in the US. Most of your customers would likely be locals within the area but suppose people from the EU stumble upon your website while planning a trip there. Depending on the type of data you track, you could be held accountable.
The geographical scope refers to whether an organization is established within the EU. This includes companies that have a physical presence, are simply conducting operations, or are targeting EU citizens.
Non-EU businesses still come under the GDPR if they process EU residents’ personal data while selling goods or services to them or tracking their online behavior regardless of where the company is actually based. This is known as the extraterritorial effect.
The GDPR, while rooted in EU law, has an international reach. As mentioned above, any non-EU organization that offers goods or services to EU residents falls under the GDPR's purview if it processes personal data during these transactions. This implies that even online businesses must comply with GDPR regulations if they cater to EU customers. The same applies to companies based outside of the EU processing data of EU customers, like storing user data or tracking usage patterns. These actions would automatically necessitate GDPR compliance.
Even businesses operating in the US need to comply with the GDPR, either as data controllers or data processors. Ultimately, GDPR protects all EU residents despite being of EU nationality. Granted, the protection applies while they are browsing the internet within those territories.
Recital 18 states that the regulation does not simply apply to “purely personal or household activity” but rather to organizations that are specifically conducting “purely professional or commercial activity”. For individuals, this is a green light to collect email addresses or a Google calendar invite, getting an online friend’s details without needing to encrypt their contact info just to comply with the GDPR. However, if you’re gathering personal information to crowdfund for a side hustle, then you might want to familiarize yourself with the GDPR.
Another exception worth mentioning is companies having a workforce size of 250 or less. These small and medium-sized enterprises (SMEs) aren’t completely exempt from GDPR compliance, but they are free from record-keeping obligations. These records delineate the foundation of your data-gathering efforts and encompass information regarding:
In 2018, the international hotel chain Marriott faced reputational damage and was hit with an £18.4 million GDPR fine for failing to secure their customers’ personal data by the Information Commissioner's Office (ICO). This penalty is a result of a 2014 cyber attack on Starwood Hotels and Resorts Worldwide, where hackers breached approximately 339 million guest records, including seven million records concerning individuals in the UK. The breach went undiscovered until September 2018, after Marriott had just taken over the company.
Similarly, tech giant Google was fined $57 million by CNIL, the French data protection watchdog for “failing to acknowledge how its users’ data is processed”. According to CNIL, Google did not obtain user consent to process data for ad personalization and the collected consent wasn’t specific or unambiguous, both terms outlined by GDPR. This made it challenging for users to understand how their data will be used or processed.
In a nutshell, the GDPR's impact extends globally, affecting organizations regardless of their location. This regulation mandates strict standards for the processing of personal data and imposes significant responsibilities on organizations handling EU residents' data. Compliance with GDPR principles is crucial for safeguarding individuals' privacy rights and avoiding substantial fines and penalties. Whether you're a data controller determining processing activities or a data processor handling personal information on behalf of other parties, it is crucial to understand both the data protection law’s territorial and geographical reach to ensure data protection and regulatory compliance.
The general rule of thumb is that any company operating in the EU or deals with EU citizens; data must be GDPR compliant, irrespective of the industry they operate in.
US companies are subject to GDPR if they offer goods or services to EU citizens, or if they collect, process, or monitor the personal data of individuals from the EU.
Non-EU companies are still affected by this data protection law even if they have fewer than 250 employees depending on whether or not they are collecting, processing, or transferring the data of EU users. The silver lining is that smaller businesses are exempt from “record-keeping obligations” according to the official GDPR website.
Since GDPR does not apply to occasional instances, regulators will usually look for other clues to determine whether a business set out to offer goods and services to people in the EU – like if a non-EU-based SME has advertisements communicated using an EU language. Non-EU companies should carefully consider factors such as their target market, the location of their data subjects, and their processing activities to determine their obligations under the GDPR.
Controllers have primary responsibility for compliance while processors are bound by contractual obligations to instead assist controllers in meeting those obligations. The former is directly liable for GDPR violations whereas the latter is subject to indirect liability for non-compliance violations.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.