Does GDPR apply to data collected outside the EU?

Blocksurvey blog author
Jun 25, 2024 · 3 mins read

GDPR outside Europe

Source: Pexels

As most of you know, GDPR is a regulation aimed to protect & secure the data of EU citizens.

Many organizations, both inside and outside the EU, collect and process EU citizens' personally identifiable data, which can include a client’s name, email address, phone number, biometric data, IP address, or online behavior.

Organizations collecting EU citizen data are required to adhere to GDPR regulations. However, there are a few rules & exceptions regarding its mandate.

Does GDPR apply to data collected outside the EU (European Union)? The simple answer is Yes.

GDPR has few rules & conditions as far as its territorial scope is concerned.

Let’s first generally learn where GDPR applies and where it does not. Continue reading.

Where GDPR Applies

Below are a few cases where GDPR regulation applies.

  • A non-EU company collecting EU citizen data is required to adhere to GDPR.
  • The data of non-EU citizens living in the EU is protected under GDPR. For example, the data of a US citizen living in the EU is protected under GDPR.

The next section discusses a few cases where GDPR does not apply.

Where GDPR Does Not Apply

  • The data of an EU citizen residing in another country like the US is not protected by GDPR. It is only concerned with the client's location, not the client's citizenship.
  • EU citizens' data may be collected for personal purposes, such as organizing a birthday party or inviting them to a marriage function. This type of data collection is not required to adhere to GDPR.
  • A cloud-hosted company with fewer than 250 employees is not required for GDPR compliance. However, there are a few exceptions.
  • Public sector companies that collect EU citizen data for governance are not obliged under GDPR.

Now, let’s learn what GDPR specifically says about its application outside the EU.

When Does GDPR Apply Outside the EU?

The Territorial scope of GDPR is covered under Article 3 of GDPR. The second item under Article 3 clearly explains when GDPR applies to organizations outside the EU.

For example, let’s take a company headquartered in China is doing either of the following.

  • Offers goods or services to EU citizens.
  • Monitor the online behavior of individuals within the EU.

In both of the above cases, they will have to comply with the GDPR.

If a non-EU company, although not headquartered in the European Union, still collects EU citizen data, then GDPR adherence is required.

GDPR supervisory authority monitors and enforces the application of GDPR in non-EU organizations.

Use Cases: GDPR outside EU

New York Tourist Company

A Software company from New York has created a mobile tourist application that locates the position of the tourist and provides nearby places of interest.

It provides services for tourists in New York, Paris, and Rome.

In this case, the GDPR applies because the organization’s services are designed to be used by people in the EU (Paris & Rome), whether local or visiting from elsewhere.

The Canadian News Application

A Canadian is on a business trip to Germany. While in Germany, he downloads a Canadian mobile news application.

The GDPR doesn’t apply in this case, even though the individual (it is to be noted he is on a business trip and not residing permanently) was in the EU when their data was collected. This is because for GDPR to apply, the goods/services should be targeted to people in the EU.

A French SaaS

A French SaaS company sells software exclusively in the United States.

The GDPR applies at all times because it applies to the processing of data by all French (EU) companies. The fact that all the users are from the US doesn’t make any difference.

Get Ready

The overall suggestion is that organizations must prepare to meet GDPR requirements even if they are collecting data outside the EU.

If you feel very sure that GDPR applies to your organization, I highly recommend that you familiarize yourself with the GDPR law to avoid violating its regulations. It also helps you avoid reputational damage and large fines by becoming GDPR compliant.

Refer to the GDPR framework to become aware of its intricacies.

Does GDPR apply to data collected outside the EU? FAQ

Does GDPR apply to data collected outside the EU?

Yes, GDPR applies to data collected outside the EU if it involves data subjects who are in the EU.

Is a US company that processes data from European clients subject to GDPR?

Yes, a US company that processes data from European clients must comply with GDPR regulations.

Does GDPR apply to EU citizens living outside the EU?

No, GDPR applies to the processing of personal data of data subjects who are in the EU, regardless of their citizenship.

How does GDPR apply to data collection and processing by non-EU entities?

GDPR applies to non-EU entities that offer goods or services to, or monitor the behavior of, data subjects who are in the EU.

Does GDPR apply to data collected before it came into effect?

Yes, GDPR applies to all data held that relates to EU data subjects, regardless of when it was collected.

Like what you see? Share with a friend.

blog author description

Sarath Shyamson

Sarath Shyamson is the customer success person at BlockSurvey and also heads the outreach. He enjoys volunteering for the church choir.


Explore more