What Do US Startup Founders Need to Understand about GDPR?
The General Data Protection Regulation (GDPR) is the European Union's data protection law. It can apply to companies based outside the EU, including US startups, when they offer goods or services to people in the EU or monitor the behavior of people in the EU. GDPR sets principles for handling personal data, gives individuals rights over their data, and expects organizations to document how they meet its requirements. Whether it applies to any particular company is a legal determination best confirmed with qualified counsel. This article explains the basics founders should understand, not whether GDPR applies to your specific situation.
In this article
- GDPR is the EU's data protection law
- GDPR can reach companies far beyond the EU
- The regulation is built on seven principles
- GDPR gives individuals rights over their data
- Controllers and processors carry different responsibilities
- A lawful basis sits behind every use of personal data
- Moving EU data to the US follows its own rules
- GDPR readiness is a trust advantage, not just a hurdle
- Where founders usually want counsel
- Frequently asked questions
GDPR Is the EU's Data Protection Law
GDPR took effect on May 25, 2018, and it governs how organizations handle the personal data of people in the EU and the wider European Economic Area. Personal data means any information relating to an identified or identifiable person, which is broader than many founders expect: names, email addresses, device identifiers, and location data all qualify. The regulation is principles-based rather than a checklist, so it describes outcomes organizations are expected to achieve rather than prescribing one fixed way to get there.
GDPR Can Reach Companies Far Beyond the EU
One reason GDPR matters to US founders is its reach, which works through two routes. The first is establishment: if a company has a real and stable presence in the EU, such as an office or employees, GDPR can apply to the processing connected to that presence, including the personal data of EU-based staff. The second is targeting: even with no EU establishment, GDPR can apply to a company that offers goods or services to people in the EU, whether or not payment is involved, or that monitors the behavior of people in the EU, such as tracking or profiling website visitors. Whether a particular arrangement creates an establishment, including engaging an independent contractor in the EU, and whether either route applies, is fact-specific and a legal determination we recommend confirming with qualified counsel.
The Regulation Is Built on Seven Principles
GDPR organizes its expectations around seven principles, and most requirements trace back to them. They are:
- Lawfulness, fairness, and transparency
- Purpose limitation — data is collected for specified, explicit purposes
- Data minimization — you collect only what you need
- Accuracy — data is kept correct and up to date
- Storage limitation — you keep data only as long as necessary
- Integrity and confidentiality — you secure the data
- Accountability — you can demonstrate compliance
The accountability principle is why documentation matters so much under GDPR, since being compliant and being able to show it are treated as two parts of the same obligation.
GDPR Gives Individuals Rights Over Their Data
A defining feature of GDPR is the set of rights it gives individuals over their personal data. These include:
- The right to be informed about how data is used
- The right of access to a copy of their data
- The right to rectification of inaccurate data
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to certain processing
- Rights related to automated decision-making and profiling
Organizations in scope are expected to have a way to recognize and respond to these requests within the timeframes the regulation sets.
Controllers and Processors Carry Different Responsibilities
GDPR draws a clear line between two roles. A controller decides why and how personal data is processed, while a processor handles data on a controller's behalf, such as a vendor or subprocessor. The distinction matters because the regulation assigns different responsibilities to each, and it requires a written agreement to govern the relationship between them. Most SaaS startups act as a processor for their customers' data and a controller for their own, so many companies hold both roles at once depending on the data in question.
A Lawful Basis Sits Behind Every Use of Personal Data
Under GDPR, every use of personal data needs a lawful basis, and the regulation sets out six: consent, performance of a contract, a legal obligation, protection of someone's vital interests, a task carried out in the public interest, and legitimate interests. Consent is only one option, and it is not always the most appropriate, since it must be freely given, specific, and easy to withdraw. Choosing the right basis for each use is part of the analysis, and it is an area where founders frequently benefit from professional guidance.
Moving EU Data to the US Follows Its Own Rules
GDPR places conditions on transferring personal data out of the EU, including to the United States. As of 2026, the EU-US Data Privacy Framework remains a valid mechanism, allowing data to flow to US organizations that self-certify and renew annually, and a European court upheld its validity in September 2025. Standard Contractual Clauses are another widely used mechanism. Because the transfer landscape is monitored and can evolve, the specific mechanism that fits a company is a point we recommend confirming with qualified counsel.
GDPR Readiness Is a Trust Advantage, Not Just a Hurdle
It is worth reframing GDPR from an obstacle into an asset. European customers, partners, and investors increasingly treat strong data protection as a signal that a company is mature and trustworthy. A startup that can explain how it handles personal data, honor individual rights, and document its practices is better positioned to win EU business and pass diligence. Seen that way, the work GDPR asks for overlaps heavily with the trust posture that helps close deals everywhere, not only in Europe.
Where Founders Usually Want Counsel
A few questions sit squarely in legal territory, and they are worth flagging. Whether GDPR applies to your company, which lawful basis fits a particular use of data, whether you need an EU representative or a data protection officer, and which transfer mechanism to rely on are all determinations that depend on your specific facts. Aetos helps companies build the trust program and documentation that support compliance, and we work alongside your legal counsel rather than in place of them on these questions.
Frequently Asked Questions
Does GDPR apply to US companies?
It can, through two routes. GDPR can apply when a company has a stable presence in the EU, such as staff, covering the processing tied to that presence; and when a company offers goods or services to, or monitors the behavior of, people in the EU. Whether either applies — including whether engaging a contractor in the EU creates a presence — is a legal determination, so we recommend confirming it with qualified counsel.
What counts as personal data under GDPR?
Any information relating to an identified or identifiable person, including names, email addresses, device identifiers, and location data. The definition is broad, which is why many companies hold more personal data than they realize.
What is the difference between a controller and a processor?
A controller decides why and how data is processed. A processor handles data on the controller's behalf. GDPR assigns different responsibilities to each and expects a written agreement between them.
Can US companies still receive EU personal data?
Yes, through a valid transfer mechanism. As of 2026, the EU-US Data Privacy Framework remains valid for self-certified US organizations, and Standard Contractual Clauses are also widely used. The right mechanism depends on your situation.
Is GDPR the same as CCPA?
No. GDPR is the EU's regulation, while CCPA and CPRA are California's privacy laws. They share goals but differ in scope and detail. We cover CCPA and CPRA in a separate article.
Where to Go From Here
The most useful first step is understanding what personal data you hold and where it flows, which clarifies a great deal before any legal analysis. For more, see our explainers on the core US data privacy principles, how data privacy impacts business operations, and privacy as a growth lever.
Want to understand your data exposure to frame your conversation with counsel? Assess your risk and we will help you map where you stand.