Regulation (EU) 2016/679 | EDPB Guidelines 3/2018 & 05/2021 | Commission Decision (EU) 2021/914
Home › Practice Areas › Privacy & Data Protection › GDPR: U.S. Controller / EU Processor
Contents
- Introduction: The Scenario and the Counterintuitive Result
- Does GDPR Apply to the U.S. Controller? Applying Article 3
- Does GDPR Apply to the EU Processor? The Article 3(1) Analysis for Processors
- GDPR Obligations of the EU Processor
- Does Chapter V Govern the Data Flows? The Transfer Analysis
- Chapter V Mechanisms Available to the EU Processor
- Supervisory Authority Jurisdiction and the Accountability Gap
- Practical Recommendations
- Key Statutory and Regulatory References
I. Introduction: The Scenario and the Counterintuitive Result
Consider a fact pattern that is increasingly common in the modern economy: a company incorporated and operating entirely in the United States, with no office, employee, representative, or subsidiary in any European Union member state, processes the personal data of its U.S.-based customers and workforce. For cost, technical, or logistical reasons, it engages a cloud services provider, data center operator, or IT services firm established in the EU to process that U.S. personal data on its behalf. No European individuals are involved. The data concerns Americans, collected in America, for an American business purpose. At first glance, one might expect the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), to have nothing to say about this arrangement.
That expectation is wrong — and wrong in a particularly consequential way. The GDPR’s territorial scope provisions, as interpreted by the European Data Protection Board (EDPB), produce a structural asymmetry: the U.S. controller is most likely not subject to GDPR for this processing, yet the EU processor is subject to GDPR by virtue of its own establishment within the Union. The processor bears a full set of regulatory obligations under GDPR Chapter IV — obligations it must satisfy, in many instances, without the support of a correspondingly obligated controller. And when the EU processor returns or transmits the processed data back to the U.S. controller, that data flow constitutes a “transfer” to a third country within the meaning of GDPR Chapter V, requiring the EU processor to implement an appropriate transfer safeguard before any such disclosure takes place.
This page analyzes the three core legal questions that this arrangement raises: whether GDPR applies to the U.S. controller; whether GDPR applies to the EU processor; and whether GDPR’s international transfer framework governs the data flows. The analysis draws on GDPR itself, EDPB Guidelines 3/2018, EDPB Guidelines 05/2021, EDPB Guidelines 07/2020, EDPB Opinion 22/2024, and Commission Decision (EU) 2021/914.
II. Does GDPR Apply to the U.S. Controller? Applying Article 3
A. The Establishment Criterion — Article 3(1)
Article 3(1) applies where a controller or processor has an EU establishment and the processing is in the context of that establishment’s activities. The concept of “establishment” is functional: the CJEU in Google Spain v. AEPD (Case C-131/12) held that an establishment exists wherever there is “effective and real exercise of activity through stable arrangements.” A U.S. company with no office, employees, commercial agents, or subsidiary in any EU/EEA member state has no EU establishment and is not subject to Article 3(1). Importantly, a U.S. controller does not become GDPR-subject merely by using an EU-established processor. EDPB Guidelines 3/2018 § 2.1.2 confirms that the establishment analyses for controller and processor are conducted independently.
B. The Targeting Criterion — Article 3(2)
Article 3(2) extends GDPR’s reach to non-EU controllers where processing relates to offering goods or services to individuals in the Union or monitoring their behavior within the Union. The EDPB has interpreted “in the Union” to mean physically present in the EU at the relevant time. Where individuals whose data is being processed are located in the United States, Article 3(2) does not apply to the U.S. controller’s processing of their data.
C. The Hidden EU Nexus Caveat
The conclusion that a U.S. controller is outside GDPR’s scope is only as reliable as the underlying facts. Many U.S. companies have unrecognized European connections that could satisfy the broad Google Spain functional test. Privacy counsel should conduct a deliberate establishment audit before advising any U.S. client that Article 3 does not reach its processing activities.
III. Does GDPR Apply to the EU Processor? The Article 3(1) Analysis for Processors
Article 3(1) names both the controller and the processor as entities to whom the establishment criterion applies. An EU-established processor is subject to GDPR for all processing conducted in the context of its EU establishment, independently of whether the controller is itself GDPR-subject. EDPB Guidelines 3/2018 § 2.1.1 confirms that the territorial scope analysis for a processor is conducted by reference to the processor’s own establishment and activities.
The Structural Asymmetry: The U.S. controller — having no EU establishment and processing only U.S.-located individuals — is not subject to GDPR. The EU processor — conducting that processing in the context of its EU establishment — is subject to GDPR by operation of Article 3(1), regardless of the controller’s regulatory status.
IV. GDPR Obligations of the EU Processor
A. The Article 28 Data Processing Agreement Problem
Article 28(3) requires a binding contract governing the processing, specifying the subject matter, duration, nature, and purpose of processing, the type of personal data, and the obligations and rights of the controller. The structural problem is that Article 28 presupposes a GDPR-bound controller. The U.S. controller has no obligation to execute a GDPR-compliant DPA. The EU processor must therefore make execution of a compliant DPA a commercial condition of the engagement and draft it proactively.
B. Article 29 — Processing Only on the Controller’s Instructions
Article 29 requires the processor to process personal data only on documented instructions from the controller. If the U.S. controller’s instructions would cause GDPR infringement, the EU processor must raise the concern and cannot simply comply.
C. Article 30(2) — Records of Processing Activities
Article 30(2) imposes an independent obligation on processors to maintain records covering each controller on whose behalf they act, categories of processing carried out, international transfers, and technical and organizational security measures.
D. Article 32 — Security of Processing
Article 32(1) requires appropriate technical and organizational security measures, including pseudonymization, encryption, and incident response capability. These obligations apply to the EU processor for all personal data handled under the engagement, including U.S. personal data.
E. Article 33(2) — Processor Breach Notification
Article 33(2) requires the processor to notify the controller without undue delay after becoming aware of a personal data breach. Since the U.S. controller is not GDPR-subject, no GDPR-bound controller will perform the supervisory authority notification. The DPA should specify the notification timeline and content requirements.
F. The Legal Basis Gap — Articles 5 and 6
A structural gap emerges where GDPR requires the EU processor’s processing to be lawful under Article 6, yet no GDPR-accountable entity has fulfilled the legal basis obligation. The EDPB’s position in Guidelines 3/2018 is that only GDPR provisions directly applicable to processors should apply in this scenario. This area remains genuinely unsettled, particularly for high-risk or special category data.
G. Sub-Processor Obligations — Articles 28(2) and 28(4)
The EU processor must obtain prior written authorization before engaging sub-processors and must impose the full Article 28(3) DPA obligations on any sub-processors engaged. The processor remains fully liable for the sub-processor’s performance. EDPB Opinion 22/2024 reinforces that the chain of sub-processor obligations must be complete and enforceable.
V. Does Chapter V Govern the Data Flows? The Transfer Analysis
EDPB Guidelines 05/2021 establishes three cumulative criteria for a restricted transfer under Chapter V: the data exporter must be subject to GDPR; the exporter must disclose or make available personal data to a data importer; and the data importer must be established in a third country.
A. The Initial Transfer (U.S. Controller to EU Processor): Not a Restricted Transfer
The initial data flow from the U.S. controller to the EU processor is not a restricted transfer under Chapter V. The U.S. controller is not GDPR-subject, failing the first EDPB criterion. No Article 44 transfer restriction applies in this direction.
B. The Return and Ongoing Flows (EU Processor to U.S. Controller): A Restricted Transfer
When data flows from the EU processor back to the U.S. controller, all three EDPB criteria are met: the EU processor is GDPR-subject; it transmits data to the U.S. controller; and the controller is located in a third country. A Chapter V safeguard is required before any such disclosure. This applies to all operational data flows, not only formal repatriation at the end of the engagement.
VI. Chapter V Mechanisms Available to the EU Processor
A. Adequacy Decision — Article 45 and the EU-U.S. Data Privacy Framework
If the U.S. controller is self-certified under the EU-U.S. Data Privacy Framework (DPF), the EU processor may rely on the Commission’s July 2023 adequacy decision to transfer data without executing SCCs or conducting a Transfer Impact Assessment. The DPF survived its first legal challenge in September 2025. EU processors relying on the DPF should verify the U.S. controller’s current certification status and include a contractual obligation to maintain certification and notify of any lapse.
B. Standard Contractual Clauses — Module 4: Processor to Controller
Where the U.S. controller is not DPF-certified, the EU processor must implement Module 4 SCCs under Commission Decision (EU) 2021/914. Module 4 is specifically designed for the scenario in which an EU processor subject to GDPR transmits personal data to a non-EU controller whose processing is not subject to GDPR. The EU processor acts as data exporter; the U.S. controller acts as data importer.
C. Transfer Impact Assessment
When relying on SCCs rather than an adequacy decision, the EU processor must conduct and document a Transfer Impact Assessment (TIA) per the Schrems II judgment (Case C-311/18) and EDPB Recommendations 01/2020. The TIA must assess U.S. surveillance authorities relative to the nature of the data being transferred and document any supplementary measures required.
VII. Supervisory Authority Jurisdiction and the Accountability Gap
EU supervisory authorities have jurisdiction over the EU processor under Article 51 but generally cannot enforce GDPR against the U.S. controller. In the event of a breach, complaint, or audit, the EU processor faces scrutiny as the sole regulated entity. Several protective mechanisms are absent on the controller side: no Article 27 representative obligation, no DPO obligation, no Article 30(1) RoPA, and no Chapter III data subject rights enforceable against the controller.
Whether U.S.-based individuals can invoke Chapter III data subject rights against the EU processor remains genuinely unsettled in EDPB guidance and EU court jurisprudence.
VIII. Practical Recommendations
For the EU Processor
Before commencing processing, insist on a fully Article 28(3)-compliant DPA as a commercial condition precedent. Determine and implement the Chapter V transfer mechanism before any return transfer. Maintain the Article 30(2) RoPA, Article 32 security measures, and a documented breach notification protocol. Obtain prior written authorization before engaging sub-processors and impose the full DPA obligations on them. Monitor the U.S. controller’s DPF certification status if that mechanism is relied upon.
For the U.S. Controller
Conduct a thorough establishment audit before concluding that GDPR does not apply. Verify the geographic distribution of data subjects to confirm no individuals processed are physically located in the EU. Cooperate with the EU processor’s DPA request as a commercial matter. Seriously consider DPF self-certification to eliminate Module 4 SCC and TIA requirements on the EU processor’s side, reducing compliance friction for both parties.
IX. Key Statutory and Regulatory References
Legal Disclaimer. This page is provided for general informational and educational purposes only and does not constitute legal advice. No attorney-client relationship is created by accessing or reading this page. Organizations facing specific compliance questions should consult qualified privacy counsel.
