The foundation

GDPR Compliance

GDPR follows your data wherever it goes. For a European company operating in the United States, that means the same obligations you carry at home travel with every record you move west — and the documentation has to hold up if a regulator ever asks.

What it covers

Compliance built for how you actually operate

GDPR compliance is less about a single document and more about a coherent picture: a lawful basis for each processing activity, records that describe what you do with personal data, agreements with the vendors who touch it, and a working process for responding to individuals' rights.

The building blocks

Lawful bases for processing; records of processing activities (ROPA); data-processing agreements (DPAs) with processors; data-subject access request (DSAR) handling; retention and minimisation; and, where required, data protection impact assessments. Privello builds these to fit your operation rather than handing over a generic template.

Why it matters across the Atlantic

When you relocate staff and stand up U.S. operations, HR and customer data starts flowing between jurisdictions. GDPR still governs that data — and the U.S. transfer needs its own lawful mechanism on top. The compliance foundation and the transfer mechanism work together.

What Privello handles

  • Mapping your processing and setting lawful bases
  • Drafting ROPA, DPAs, and the core policies
  • Building a workable DSAR and rights-request process
  • Aligning retention, minimisation, and security expectations
  • Connecting it to your transatlantic transfer mechanism

See how data lawfully crosses to the U.S.

Scope: Privello does not claim any privacy certification. Patrick Smith is licensed in the State of Texas, United States; where the law of an EU/EEA member state or another jurisdiction governs, Privello coordinates qualified local counsel and does not practice the law of that jurisdiction.

Common questions

Questions European companies ask

Does GDPR apply to us once we operate in the U.S.?

Yes. GDPR applies to the processing of EU/EEA personal data regardless of where the processing happens, so moving operations or data to the U.S. does not switch it off — it adds a transfer obligation.

Do we need a generic policy or something tailored?

Tailored. Off-the-shelf policies tend to describe processing you don't do and miss processing you do. The value is in documentation that matches your actual operation and survives scrutiny.

How does GDPR connect to our U.S. immigration plan?

Relocating staff moves HR data across the Atlantic on the same timeline as the visas. Privello plans the GDPR and immigration steps together so neither lags behind.

Begin

Talk through your move with Privello

Tell us what you're planning. We'll outline the realistic options — and how the immigration and data-protection steps line up — in a first conversation.

Request a Consultation Back to Data Privacy