Key takeaways
- GDPR Article 3 reaches US companies that offer goods or services to, or monitor, individuals in the EU.
- Many such companies need both a DPO and an EU Representative.
- US and EU privacy programs can be combined, with DPF certification a separate consideration.
- Engage scopes the obligations and runs the program.
When GDPR applies to a US company
GDPR Article 3 establishes extra-territorial reach. GDPR applies to a US company processing personal data of EU residents if: The US company offers goods or services to data subjects in the EU (regardless of payment). The US company monitors the behavior of data subjects in the EU as far as that behavior takes place within the EU.
For SaaS companies, the trigger is typically when EU customers sign up. For consumer apps, the trigger is when EU users download or use the app. For marketing technology, the trigger is when EU residents are profiled or targeted.
Once GDPR applies, the full GDPR framework applies including DPO appointment, EU Representative, lawful basis documentation, transfer mechanisms, RoPA, and data subject rights.
Do you need a DPO
GDPR Article 37 requires DPO appointment for processors and controllers whose core activities consist of: Regular and systematic monitoring of data subjects on a large scale. Processing on a large scale of special categories of data or personal data relating to criminal convictions.
For US tech companies, the core activities test is typically met as the company scales. Most growing SaaS, FinTech, HealthTech, and AdTech companies eventually fall in scope. Companies serving consumer markets typically hit the threshold faster than B2B-only companies.
Even where DPO appointment is not strictly required, many US companies appoint DPOs voluntarily to demonstrate privacy maturity to EU customers and supervisory authorities.
Do you also need an EU Representative
Article 27 requires non-EU companies offering services to EU residents to appoint an EU Representative in writing. The EU Representative is a separate role from the DPO with separate functions.
The EU Representative is the local EU contact point for supervisory authorities and data subjects. The DPO is the company’s privacy expert and operational lead.
Per EDPB guidance, one provider should not act as both your DPO and your EU Representative for the same company, because the roles can conflict. We take one role and arrange the other through a trusted partner entity, keeping the two functions independent.
Companies establishing an EU subsidiary may not need an EU Representative if the subsidiary qualifies as the EU establishment under Article 3.
Combining US and EU privacy programs
US companies expanding to the EU typically choose between three patterns:
- Pattern 1: Parallel privacy programs. Maintain separate US privacy compliance (CCPA and other state laws) and separate EU privacy compliance (GDPR). Lower integration but higher operational cost.
- Pattern 2: Single global privacy program meeting the strictest applicable standard. Build a privacy program meeting GDPR standards globally, with US state law specific elements added on top. Higher up-front cost but lower long-term operational cost.
- Pattern 3: Tiered global plus regional. Single global framework with regional teams or providers handling jurisdiction-specific operational work. Common for larger companies.
For most growing US companies expanding to the EU, Pattern 2 (single global program at GDPR standard) is the most efficient approach.
Common US-to-EU expansion privacy work
GDPR gap assessment. Identify what privacy program elements need to be added to existing US privacy posture to meet GDPR.
DPO appointment. Either internal hire or outsourced.
EU Representative appointment under Article 27.
EU establishment decision. Whether to create an EU entity (often Ireland or Netherlands) to anchor EU operations, or to rely on the EU Representative model.
International transfer mechanism. Standard Contractual Clauses for transfers from EU to US, Transfer Impact Assessments, and consideration of EU-US Data Privacy Framework certification.
EU-facing privacy notice. Either a separate EU privacy notice or a global notice with EU-specific sections.
Data Processing Agreement template for EU customers. Often differs from US service provider agreements.
Data subject rights operational capability extension. Operational capability to handle GDPR rights (broader than CCPA).
Lawful basis documentation. GDPR Article 6 lawful basis documented for each processing activity.
RoPA. Records of Processing Activities under Article 30.
Cookie banner update. EU GDPR plus ePrivacy Directive cookie consent (stricter than CCPA-compliant banners typically used in the US).
Note: outsourced DPOs are also referred to as external DPO, virtual DPO, fractional DPO, or DPaaS.
DPF certification consideration
The EU-US Data Privacy Framework permits transfers of personal data from the EU to certified US organizations. Certification is voluntary and requires specific commitments.
DPF certification simplifies EU-US data transfers compared to SCCs plus Transfer Impact Assessments. However, the DPF has been challenged in EU courts and ongoing legal uncertainty exists. The Schrems litigation history suggests a future challenge to the DPF is plausible.
Many US tech companies have certified under the DPF to simplify EU operations. The decision involves tradeoffs between operational simplicity (DPF) and legal robustness against future invalidation (SCCs plus Transfer Impact Assessments are more defensible if DPF is invalidated).
Realistic timelines and costs
Privacy program gap assessment: 2 to 4 weeks.
Privacy program build-out for EU: 3 to 6 months.
Outsourced DPO and EU Representative engagement: starts within 1 to 2 weeks.
EU subsidiary establishment if chosen: 2 to 4 months including local registration and banking.
Total privacy work cost for US-to-EU expansion: typically 40,000 to 150,000 USD over 6 to 12 months for a mid-stage US tech company.
How Engage Compliance helps
For US companies expanding to the EU, we provide outsourced DPO services and EU Representative services. Engagement typically starts with a gap assessment and progresses to ongoing DPO support during expansion and after.
Specific coverage:
- GDPR compliance work coordinated with existing US privacy program.
- DPO services under Article 37.
- EU Representative services under Article 27.
- International transfer work including SCCs, Transfer Impact Assessments, and DPF guidance.
- EU subsidiary support including local registration coordination.
- EU customer DPA negotiation support.
Pricing typically combines a project fee for gap assessment and program build (€15,000 to €50,000, approx US$17,000 to US$58,000) with monthly outsourced DPO retainer (500 to 7,500 USD per month).