Sophie Laurent, YuSMP Group
Sophie Laurent Legal & Compliance Lead, YuSMP Group · GDPR, HIPAA and EU AI Act practitioner

Does GDPR apply to you? Article 3 extraterritorial scope

Article 3 of Regulation (EU) 2016/679 has three limbs, two of which catch most US SaaS:

  • Article 3(1) — Establishment. Applies to processing in the context of activities of an EU establishment, regardless of where processing takes place. A single EU employee can constitute an establishment under Case C-230/14 Weltimmo.
  • Article 3(2)(a) — Offering goods or services to data subjects in the Union. Indicators per Recital 23 and EDPB Guidelines 3/2018: EU-language localisation, EUR pricing, EU customer references, EU domain, mentions of EU users in marketing, EU customer support, EU-targeted ads. A US-only website that happens to receive EU traffic is not in scope. A SaaS with a German pricing page in EUR billing is squarely in scope.
  • Article 3(2)(b) — Monitoring behaviour of data subjects in the Union. Behavioural advertising, fingerprinting, location-tracking, market research surveys aimed at EU users.

Server location is irrelevant under Article 3. So is the absence of a legal entity in the EU. If you fall under 3(2), the entire Regulation applies, and you must designate an Article 27 representative in the Union (subject to the narrow Article 27(2) exemption).

Controller, processor, joint controller — fix the role first

Your obligations turn on your role. Misidentifying the role causes more enforcement pain than any technical control failure.

  • Controller (Article 4(7)) — determines purposes and means of processing. A B2C SaaS towards its end users is the controller of their data.
  • Processor (Article 4(8)) — processes on behalf of a controller. A B2B SaaS towards its customers' end-user data is typically the processor; the customer is controller.
  • Joint controllers (Article 26) — two or more entities jointly determine purposes and means. CJEU Case C-40/17 Fashion ID brought tracking-pixel scenarios into joint-controller territory. Joint controllers must agree responsibilities in a transparent arrangement and make its essence available to data subjects.

Most US B2B SaaS founders incorrectly assume they are "just a processor" for everything. They are usually controller for billing, account management, marketing, security telemetry, and processor only for customer-stored business data. Map both roles per processing activity, not per company.

Lawful bases under Article 6 and special categories under Article 9

Article 6(1) lists six lawful bases. For B2B SaaS the workable ones:

BasisUse it forWatch-outs
6(1)(a) ConsentMarketing emails, optional cookies, optional analyticsArticle 7 strict conditions; revocable any time; granular; not bundled with ToS
6(1)(b) ContractService delivery, billing, account managementStrict necessity test; "improving service" doesn't qualify (EDPB Guidelines 2/2019)
6(1)(c) Legal obligationTax records, AML/KYC, financial reportingCite the specific law in your ROPA
6(1)(f) Legitimate interestsProduct analytics, security, fraud, B2B marketing, group operationsThree-part test, documented LIA; Article 21 right to object; not available to public authorities

Article 9 special categories (health, biometric identifiers used for identification, racial/ethnic origin, political opinions, religious beliefs, trade union, sex life and sexual orientation, genetic) require an Article 9(2) basis in addition to Article 6. Default: explicit consent under 9(2)(a). Article 10 criminal data has its own regime in Article 10.

Children's data (under 16, lowered to 13–16 by Member State) under Article 8: parental consent required for information society services offered directly to children.

The seven Article 5 principles your engineering must satisfy

Article 5(1) lists seven principles; Article 5(2) makes you accountable for demonstrating compliance.

  • Lawfulness, fairness, transparency — Articles 13–14 transparency at collection; privacy notice in plain language.
  • Purpose limitation — collected for specified, explicit, legitimate purposes; not further processed in incompatible ways.
  • Data minimisation — adequate, relevant, limited to necessary. Engineering: do not collect fields "just in case".
  • Accuracy — kept accurate, up to date, with rectification mechanisms.
  • Storage limitation — kept in identifiable form no longer than necessary. Engineering: automated retention, hard deletes, not soft deletes.
  • Integrity and confidentiality — security via technical and organisational measures (Article 32).
  • Accountability — you must demonstrate compliance. ROPA (Article 30), policies, training, evidence.

Article 25 Privacy by Design and by Default operationalises these: data protection measures by default and by design, only the necessary personal data processed by default. The German enforcement focus on Article 25 in 2024–2025 has been sharp.

International transfers: DPF, SCCs 2021/914, TIA, BCRs

Chapter V (Articles 44–50) restricts transfers of personal data to third countries. After Schrems II (CJEU Case C-311/18) invalidated Privacy Shield in 2020, the framework rebuilt around three tools:

  1. Adequacy decision. Article 45. The EU-US Data Privacy Framework, adopted by Commission Implementing Decision (EU) 2023/1795 on 10 July 2023, restored adequacy for personal data transferred to DPF-certified US importers. Verify certification at dataprivacyframework.gov; certification status can lapse. The DPF survived its first General Court challenge in 2025 (Case T-553/23 La Quadrature du Net) but a Schrems III referral is pending; do not bet the company on adequacy alone.
  2. Standard Contractual Clauses. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 sets out four modules: C2C, C2P, P2P, P2C. Pick the module matching the role pair. Use the docking clause for multi-party deployments. Required to be supplemented by a Transfer Impact Assessment per EDPB Recommendations 01/2020 — assess the third country's law, especially government access (FISA 702, EO 12333 for the US), and add supplementary measures (encryption-with-keys-in-EU, pseudonymisation, contractual measures) where the law is inadequate.
  3. Binding Corporate Rules. Article 47. For intra-group transfers; slow to set up (typically 18–36 months) but durable.
  4. Article 49 derogations. Explicit consent, contract necessity, important public interest, etc. Strictly necessary, not for systematic transfers.

EU representative (Article 27) and the DPO question (Article 37)

Two distinct roles, often conflated.

EU representative (Article 27) — required for non-EU controllers and processors subject to Article 3(2), unless the narrow exemption applies. Must be established in a Member State where data subjects are, must be empowered to address GDPR matters, and is the contact point for supervisory authorities and data subjects. Third-party services cost EUR 1,200–6,000 per year. List your representative in your privacy notice and on your website.

Data Protection Officer (Article 37) — mandatory only when (a) you are a public authority, (b) core activities consist of large-scale regular and systematic monitoring (e.g., adtech, telematics), or (c) core activities consist of large-scale processing of Article 9 special categories or Article 10 criminal data. Most B2B SaaS do not need a mandatory DPO but many appoint a voluntary one as a signal. Article 38 protects the DPO from instruction on tasks and from dismissal for performing them; Article 39 lists DPO tasks.

Data subject rights and the response clock

Articles 12–22 grant rights and Article 12(3) sets the response clock: one month from receipt of the request, extensible by two further months for complex requests with notice within the first month. Free of charge unless manifestly unfounded or excessive.

  • Article 15 access — copy of personal data, processing purposes, categories, recipients, retention, source, automated decision-making logic.
  • Article 16 rectification.
  • Article 17 erasure ("right to be forgotten") — with narrow exceptions.
  • Article 18 restriction.
  • Article 19 — notification to recipients of rectification, erasure, restriction.
  • Article 20 portability — machine-readable export for data the subject provided.
  • Article 21 objection — absolute right for direct marketing; balancing test for Article 6(1)(f) processing.
  • Article 22 — not subject to solely automated decisions with legal or similarly significant effects, save for narrow exceptions; right to human intervention.

Engineering implication: build a Data Subject Request portal early. Auto-generated identity-verified flows save hundreds of hours over the years and demonstrate Article 25.

GDPR engineering team reviewing data subject request flows
The DSAR portal is the lowest-effort, highest-leverage GDPR engineering investment. Build it in the first sprint of EU launch.

DPIAs (Article 35) and when you actually need one

Article 35(1) requires a DPIA when processing is likely to result in a high risk to rights and freedoms. Article 35(3) lists three mandatory triggers (systematic and extensive automated decisions with significant effects; large-scale special-category or criminal data; systematic monitoring of publicly accessible areas). EDPB Guidelines 4/2017 add nine criteria; two or more is the practical threshold.

Article 35(7) requires the DPIA to include: systematic description of processing, assessment of necessity and proportionality, assessment of risks, measures to mitigate. Article 36 requires prior consultation with the supervisory authority if residual risk remains high after mitigation.

Save your DPIAs versioned in the same repo as your code. Auditors love versioned DPIAs that update with releases.

Breach notification: the 72-hour clock (Articles 33–34)

Article 33(1): controller notifies the lead supervisory authority of any personal data breach without undue delay, and where feasible not later than 72 hours after becoming aware. Late notification requires reasoned justification. Article 33(2): processor notifies the controller without undue delay.

Article 34: if the breach is likely to result in a high risk to rights and freedoms, notify affected data subjects without undue delay in clear plain language. Encrypted-data safe harbor exists in Article 34(3)(a) only if appropriate technical measures (including encryption) were applied to the data in question.

Article 33(5): internal documentation of every breach — reported or not — for accountability under Article 5(2).

Plan the runbook for a Friday-night incident, because that is when they happen. EU supervisory authorities count weekend hours.

Article 32 security: what good looks like in 2026

Article 32 requires technical and organisational measures appropriate to the risk, including as appropriate: pseudonymisation and encryption (32(1)(a)), confidentiality/integrity/availability/resilience (32(1)(b)), restore availability and access in a timely manner after incident (32(1)(c)), regular testing of effectiveness (32(1)(d)).

The de facto 2026 floor:

  • ISO/IEC 27001:2022 certification or SOC 2 Type II report.
  • TLS 1.2+ everywhere; AES-256 at rest; KMS-managed keys.
  • MFA for all privileged access.
  • Tenant isolation in multi-tenant SaaS, with documented threat model.
  • Annual penetration test by an independent third party.
  • Tabletop incident response twice a year.
  • Documented data retention schedule with automated enforcement.

Enforcement reality: the 2024–2026 case law

The post-Schrems-II era brought sustained enforcement. Notable patterns:

  • Meta — EUR 1.2B (Irish DPC, May 2023) for US transfers without an adequate mechanism. Largest GDPR fine to date.
  • Cookie banner enforcement — CNIL (France) and Garante (Italy) actively fining for dark patterns, equal-prominence violations, and Google Analytics 4 transfer concerns.
  • Children's data and adtech — TikTok, Instagram, ByteDance fines in the EUR 245–405M range.
  • Article 22 automated decisions — SCHUFA judgment (CJEU C-634/21, 2023) expanded what counts as a "decision" under Article 22; SaaS scoring features are now squarely in scope.
  • Smaller fines on SMEs — supervisory authorities have shown willingness to fine companies of every size; "we're small" is not a defence.

Penalties under Article 83: up to EUR 10M or 2% of worldwide annual turnover for most processor and procedural breaches; up to EUR 20M or 4% for breaches of basic principles, lawful basis, data subject rights, transfers, and supervisory authority orders.

If you are scoping an EU launch or remediating a GDPR programme, we run two-week fixed-price gap assessments through GDPR compliance consulting; we usually pair it with SaaS development or custom software engagements. For founders without an internal compliance leader, a fractional CTO with shipped GDPR experience is usually faster than a law-firm-only programme. AI-feature scoping for EU launches dovetails with our EU AI Act compliance work.

FAQ

Does GDPR apply to my US SaaS?

Yes if Article 3(2) catches you — offering goods or services to EU data subjects (EUR pricing, localisation, EU-targeted marketing) or monitoring their behaviour. Server location is irrelevant.

What is the EU representative requirement?

Article 27 requires non-EU controllers and processors in scope of Article 3(2) to appoint a written representative in the Union, contactable by supervisory authorities and data subjects. Third-party rep services run EUR 1,200–6,000/year.

What lawful basis should I use?

Article 6(1)(b) contract for service delivery, (f) legitimate interests for product analytics, security, fraud, B2B marketing, (a) consent only when others don't apply. Article 9 special categories add a separate Article 9(2) basis.

Do I need a DPIA?

If Article 35(3) mandatory triggers apply, or two or more EDPB Guidelines 4/2017 criteria, yes. Build the DPIA into the release process; version it with the code.

How do I transfer data to the US?

DPF adequacy for DPF-certified importers; SCCs 2021/914 + TIA for non-DPF; BCRs for intra-group. Don't rely on Article 49 derogations for systematic transfers.

What is the breach notification clock?

72 hours from awareness to the lead supervisory authority (Article 33); without undue delay to data subjects if high risk (Article 34). Document all breaches, reportable or not (Article 33(5)).

GDPR is an operating discipline, not a contract addendum

US founders who treat GDPR as a procurement checklist always hit the same wall: an enforcement action triggered by a missing EU rep, a stale ROPA, or a sub-processor change no-one tracked. The teams that ship cleanly treat GDPR like SOC 2 — a continuous evidence-producing programme baked into the SDLC. We help build it that way.

Last updated 26 May 2026. References are to Regulation (EU) 2016/679 and Commission Implementing Decisions cited. Nothing in this article constitutes legal advice for a specific situation.