Yes. Under Article 3, GDPR applies to any organization that offers goods or services to EU residents or monitors their behavior — regardless of the organization's location. A US SaaS company with EU users is subject to GDPR even without an EU office. EU regulators have issued fines against US-based companies including LinkedIn (€310M, 2024), Meta (€1.2B, 2023), and Amazon (€746M, 2021).
GDPR has a two-tier fine structure under Article 83. Tier 1 (Art. 83(4)): up to €10M or 2% of global annual turnover. Tier 2 (Art. 83(5)): up to €20M or 4% of global annual turnover for violations of processing principles, consent, data subject rights, and international transfer rules. The higher of the absolute and percentage values applies. Largest fines to date: Meta €1.2B, Amazon €746M, Instagram €405M, WhatsApp €225M.
Under Article 33, controllers must notify their supervisory authority (Data Protection Authority) within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to individuals, you must also directly notify the affected data subjects without undue delay (Art. 34). Missing the 72-hour window is itself a violation, even if the underlying breach was accidental.
Article 37 requires a DPO when: you are a public authority; your core activities involve large-scale systematic monitoring of individuals; or your core activities involve large-scale processing of special category data (health, biometric, etc.) or criminal convictions. Even if not required, a DPO is strongly recommended for any organization processing EU data at scale.
Article 6 establishes six lawful bases: (1) Consent; (2) Contract necessity; (3) Legal obligation; (4) Vital interests; (5) Public task; (6) Legitimate interests. You must identify and document your lawful basis before processing begins — you cannot retrospectively select a different basis. For special category data (Art. 9), explicit consent or other specified exceptions are required.