undefined | Better HN

0 pointstzs5y ago0 comments

> Any EU citizen in our out of country has their PII protected by EU law, regardless of who processes that data.

That's a common misconception. GDPR applies to "data subjects who are in the Union". Whether or not the data subjects are EU citizens is irrelevant.

It also applies to all data processing of processors or controllers who are in the Union, regardless of where the processing takes place or whose data is being processed.

For processors or controllers not in the Union processing data of a subject in the Union it applies if (1) the processing is related to the offering of goods or services in the Union, or (2) the monitoring of behavior that takes place within the Union.

Some examples:

If I, a US citizen who has never set foot outside the US, has some interaction with a German company then GDPR applies. The German company is in the Union so it applies to all their data subjects regardless of citizenship or location.

If a French citizen comes to the US and some local US business gathers all kinds of personal information about them GDPR does not apply. The data subject is not in the Union and the processing is not being done by an entity in the Union, so no GDPR.

0 comments

1 comments · 1 top-level

e12e5y ago

And, if a US citizen travel to the EU/EEA, your existing, ripe-for-abuse, US customers are protected under the GDPR.

Not sure how likely a fine would be in that case, though.

j / k navigate · click thread line to collapse