GDPR for International Customers: Territorial Scope (Art. 3)

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~5 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Art. 3 GDPR applies the regulation through three triggers: EU establishment, offering goods/services to EU residents, or behavioral monitoring of EU residents
Server location is irrelevant — the addressee determines applicability
US: CCPA/CPRA in California plus 12 other state laws now in force
UK: UK-GDPR is a near-clone of EU GDPR; adequacy decision extended to June 2025
Multi-jurisdiction strategy: use GDPR as the baseline (strictest) and add CCPA/UK-GDPR specific clauses

1. Art. 3 GDPR market-place principle

The GDPR applies in three cases: (1) the controller has an EU establishment, (2) the controller offers goods or services to EU residents (paid or free), or (3) the controller monitors behavior of EU residents. Server location does not determine applicability — the targeting of EU residents does.

2. United States: CCPA, CPRA and state laws

Thirteen US states had enacted privacy laws by early 2026. California's CCPA/CPRA is the strictest and the de facto US baseline. Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA) and others add state-by-state variation. Treating CCPA as the US benchmark covers most enforcement risk.

3. United Kingdom: UK-GDPR and DPA 2018

Post-Brexit, the UK uses UK-GDPR — a clone of EU GDPR — supplemented by the Data Protection Act 2018. The EU-UK adequacy decision was extended to June 2025; renewal is expected but not guaranteed.

4. Asia: variable by country

Singapore (PDPA), Japan (APPI) and China (PIPL) all have GDPR-style frameworks but with different specifics. China's PIPL adds data-localization rules and security assessments for cross-border transfers. Country-specific advice is essential before launching in Asia.

5. Multi-jurisdiction strategy

Use GDPR as the baseline because it is the strictest. Layer additional clauses for CCPA (sale-of-data definition, right to opt-out of sale, "shine the light"), UK-GDPR (UK representative under Art. 27 UK-GDPR), and country-specific data-localization rules where required. Maintain a single global privacy notice with country-specific sections rather than separate documents.

6. EU representative requirement

Controllers without an EU establishment that target EU residents must appoint an Art. 27 GDPR representative. The role is typically filled by a specialized law firm or compliance provider for EUR 2,000-8,000 per year.

Summary

Territorial scope follows targeting, not server location. SMEs serving EU customers from outside the EU need GDPR compliance plus an Art. 27 representative. SMEs serving the US plus EU should use GDPR as a base and overlay CCPA-specific notice elements. The single biggest mistake is assuming non-EU hosting exempts the company — it does not.

View GDPR Kit →

Frequently Asked Questions

When does GDPR apply to US customers?

When you target EU citizens. A US server alone is not sufficient.

Do I need a US representative?

Yes, Art. 27 GDPR if established outside the EU. In practice: often via a law firm.

Sources

Regulation (EU) 2016/679 — GDPR (Art. 3 territorial scope) (As of: 2026-05-02)
Commission Implementing Decision (EU) 2023/1795 — EU-US DPF (As of: 2026-05-02)
European Commission — Data Protection (as of: ongoing)