One EU resident on your customer list is enough. The moment a German tourist books a class at your studio in Austin, or a Dutch student signs up for a course in London, GDPR applies to the data you hold on her. The studio is not in the EU. The obligation is.
This caught a lot of non-EU studios off guard in 2018. In 2026 it is harder to ignore. Schrems II is fully enforced, the EU AI Act is in force for high-risk systems, and the supervisory authorities have published clear guidance on what they expect from small businesses. Fines below the headline-grabbing 4% turnover ceiling are landing on studios with 200 members and a Mailchimp account.
This is a practical walkthrough for studios outside the EU that have even a handful of EU customers. It does not replace legal advice, but it covers what we see studios get wrong.
When GDPR applies to you
Article 3 of the GDPR has two extraterritorial triggers. You are in scope if you offer goods or services to people in the EU, or if you monitor their behaviour while they are in the EU. A studio in Toronto that runs a livestream course and accepts payment in euros from a customer in Lyon is offering services. A studio in Brooklyn with a booking site translated to German and a domain that ends in .de is offering services. Cookies that track returning visitors from EU IP addresses count as monitoring.
A walk-in tourist who pays cash and never signs up is not in scope. A walk-in tourist who gives you her email for a future class confirmation is.
The test is intent and connection, not geography. If you would be happy to take a booking from someone sitting in Berlin, you are processing EU data and GDPR applies.
What changed in 2025-2026
Schrems II is fully enforced
Sending personal data to the United States used to be straightforward under Privacy Shield. That framework was struck down in 2020. The replacement, the EU-US Data Privacy Framework, only covers companies that have self-certified. If your booking system, email provider or payment processor is US-based and not on that list, you need Standard Contractual Clauses plus a transfer impact assessment. The supervisory authorities now ask for the assessment by name during routine checks.
The EU AI Act may apply
If you use AI to optimise schedules, predict no-shows or auto-suggest classes based on member behaviour, the AI Act classifies that as limited-risk profiling. You need to disclose it. Mindbody's smart scheduling, Glofox's churn prediction and several newer tools fall into this category.
DPAs are no longer optional
Every vendor that touches member data needs a signed Data Processing Agreement. Payment processors, email providers, SMS gateways, calendar integrations. Stripe and Resend publish standard DPAs. Some smaller booking systems still do not. If you cannot get a DPA from a vendor, you cannot lawfully use them for EU data.
The obligations that catch studios out
Lawful basis for processing
You need a specific lawful basis for every purpose. Booking the class is contract. Sending the receipt is contract. Sending the newsletter is consent. Storing payment details for next time is consent. A single "I agree to the terms" tick box does not cover all four.
Right to export within 30 days
If a member emails and asks for everything you hold on her, you have 30 days to deliver it in a machine-readable format. JSON or CSV is fine. PDF is not. The export needs to include booking history, payment metadata, marketing consent log and any free-text notes the instructor added.
Breach notification within 72 hours
If your booking database is compromised or your laptop with the member list is stolen, you have 72 hours to notify the relevant supervisory authority. For a non-EU studio, that is the authority in any EU country where affected members live. You also need a documented breach register, even for incidents you decide not to report.
A practical checklist
- Map every place member data sits: booking system, email tool, payment processor, accounting software, instructor calendars, the spreadsheet on the front desk laptop.
- Get a signed DPA from each of those vendors. File them.
- Check where each vendor stores data. If any are US-based and not on the Data Privacy Framework list, draft Standard Contractual Clauses.
- Rewrite your privacy notice in plain language. List the lawful basis per purpose.
- Set up a process to handle export, deletion and access requests within 30 days.
- Write a one-page breach response plan and put it somewhere the front desk can find it.
- If you use any AI features for scheduling or behaviour prediction, add a disclosure.
How Class Booking handles this
Class Booking runs on EU infrastructure by default. Member data sits in Frankfurt, payments are processed by Stripe under their EU entity, and we sign a DPA on every plan including the free trial. Schrems II transfer impact assessment is published and updated quarterly. Export and deletion endpoints are built into the admin panel — a member request becomes a two-click operation, not a 30-day project.
If you are running a studio in the UK, US, Canada or Australia and you have EU members on your list, you do not need to rebuild your stack. You need to know where the data sits and who has signed what.