Extraterritoriality · GDPR Art. 3

GDPR may apply to your site even outside the EU — here's what yours exposes

Under Article 3(2), the GDPR can reach a website with no EU establishment that targets people in the EU. The Website GDPR Audit reads your site's observable web surface — starting with where your visitors' data is sent — and grounds each finding in a GDPR or ePrivacy provision and EDPB/CJEU guidance. Free diagnostic, detailed report on request.

Free diagnostic International report $199 · One-time payment, no subscription.

Free · result in a few minutes · we send you the diagnostic

By launching the audit, you will receive your diagnostic by email plus our tips to improve it. One-click unsubscribe in every email · privacy policy.

The GDPR doesn't stop at the EU border

Article 3(2) extends the GDPR to organisations outside the EU when they offer goods or services to, or monitor the behaviour of, people in the EU. A US, UK or other non-EU site that draws EU traffic can therefore sit within scope. The regulation provides (Article 83) for fines of up to €20 million or 4% of worldwide annual turnover, whichever is higher. Most of the frequent exposures are visible from the browser — and that is exactly what this audit measures.

Five dimensions, transfers first

For each check the audit reports a status, the observed evidence, the regulatory reference (a GDPR or ePrivacy provision, with EDPB or CJEU guidance) and the concrete remediation. International transfers lead, because they are where a non-EU site most often exposes itself.

Dimension 1

Transfers out of the EU

US analytics, remote Google Fonts, Meta Pixel, US CDNs and widgets: a Chapter V (Art. 44–49) transfer, scrutinised since Schrems II. The headline exposure for a non-EU site — and the most visible.

Dimension 2

Cookies & consent

Banner present, "Reject all" on a par with "Accept", no non-exempt tracker set before consent, reasonable lifespan — the ePrivacy baseline for visitors in the EU.

Dimension 3

Privacy information & rights

Policy present, purposes and legal bases, a concrete way to exercise rights, the right to lodge a complaint with a supervisory authority.

Dimension 4

Mandatory public-facing notices

Identity of the controller and a contact point, and — where applicable — a representative in the EU under Article 27 for organisations established outside it.

Dimension 5

Observable security & forms

HTTPS everywhere, HSTS, Secure/HttpOnly cookies, consent boxes not pre-ticked, a privacy notice at the point of collection.

How it works

  1. You enter the URL of your site into the tool.
  2. The audit scans the observable surface (cookies, headers, DOM, third-party resources, forms).
  3. You get a weighted score, the critical issues and a per-dimension summary — for free.
  4. The detailed international report (each check sourced + remediation + a transfers deep dive) is available at $199.

Observable only — and honest about it

This audit reads what a browser can see. It does not declare you compliant and it does not decide whether the GDPR applies to you — that depends on facts a scan cannot reach and is a matter for your competent supervisory authority or a lawyer. A scan never sees the back office (records of processing, processor contracts, standard contractual clauses, consent logs); those items are flagged "to be audited manually" and are never counted as resolved. Every finding is sourced to a GDPR/ePrivacy provision and EDPB/CJEU guidance, with a link you can open.

Based in France and processing your data in the EU? See the French CNIL-sourced audit (/rgpd) instead.

Pricing

Free diagnostic, detailed report on demand

Run the diagnostic for free, no sign-up. The detailed report unlocks at the end, in a single payment — no subscription.

Free diagnostic

€0

No sign-up, in a few minutes.

  • Your compliance score out of 100
  • Your critical points
  • The summary by dimension (5 dimensions)
Start the free diagnostic →
Most complete

International report

$199

One-time payment, no subscription.

Everything in the free diagnostic, plus:

  • Each check: status + observed evidence
  • The GDPR / ePrivacy reference for every finding, with EDPB & CJEU sources
  • Concrete remediation, in quick-win order
  • The international-transfers (Art. 44–49) deep dive: who you send data to, and the legal gap
Get the international report — $199 →

The report unlocks at the end of the free diagnostic.

Frequently asked questions

Website GDPR Audit: your questions

Extraterritorial scope, cookie consent, transfers out of the EU, your supervisory authority — the essentials before you launch your audit.

Does GDPR apply to companies outside the EU?

Yes, it can. Under Article 3(2), the GDPR reaches an organisation with no EU establishment when it offers goods or services to people in the EU, or monitors their behaviour. So a US, UK or other non-EU site that targets EU visitors may fall within scope. This audit reads the observable signals; it does not rule on your specific case.

Do I need a cookie banner if I'm not in the EU?

If your site sets non-essential cookies or trackers in the browsers of people in the EU, the ePrivacy rules generally require prior consent — regardless of where your company is. The audit flags trackers dropped before consent. Whether a banner is legally required for you is a question for your competent supervisory authority or a lawyer.

Who enforces the GDPR — and which authority is mine?

Each EU/EEA country has its own supervisory authority, coordinated through the European Data Protection Board (EDPB). For cross-border processing a lead authority is designated under the one-stop-shop mechanism. Your competent supervisory authority depends on where you process and reach people; the audit cites the EDPB and CJEU, not any single national regulator.

What does the international audit actually check?

Five observable dimensions: international data transfers out of the EU (the headline risk), cookies and consent, privacy information and individual rights, mandatory public-facing notices, and observable security (HTTPS, HSTS, forms). Each finding cites a GDPR or ePrivacy provision plus EDPB or CJEU guidance, with a link you can open.

What are international data transfers, and why do they matter most?

Sending personal data to a country outside the EU — via US analytics, remote fonts, ad pixels or CDNs — is a transfer under Chapter V (Articles 44–49). After the CJEU's Schrems II ruling these transfers need a valid mechanism and safeguards. It is the most visible and most heavily scrutinised exposure for non-EU sites, so the audit leads with it.

Is the diagnostic free, and what does the report add?

The diagnostic — overall score, critical issues and a per-dimension summary — is free and needs no sign-up. The detailed international report ($199) adds each check with its observed evidence, the GDPR/ePrivacy reference and EDPB/CJEU source, the remediation in quick-win order, and a focused international-transfers deep dive.

Is this audit legal advice or a certification?

No. It is informational. It reads your website's observable web surface and grounds each finding in a GDPR/ePrivacy provision and EDPB or CJEU guidance. It is neither legal advice, nor a certification, nor a substitute for a lawyer or a data protection officer on structural questions a scan cannot see.