That does not appear to be correct in general, although it is correct in special cases.
Here's Article 3, "Territorial Scope", from the regulations.
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.
From (1) we have that an EU company has to apply GDPR everywhere to everyone.
From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.
(3) is just telling us that non-EU companies may also fall under (1) if international law says so.
Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.
While that may be technically true, the specifics of the law would make it impossible to follow unless companies assumed everyone who visited their site was an EU citizen.
For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
> Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
That could be risky for EU users abroad or behind VPN's, no?
While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.
My unprofessional, based on nothing guess is that no one will be prosecuted for that kind of technicality, as there will be much bigger fish to fry of large companies totally flaunting major pieces of the law.
I don’t think that’s true with Google Analytics: the ToS there already prohibits you from storing personal data in it, so there are theoretically no GDPR implications if you’re doing it properly (e.g. /edit-account rather than /[username]/edit-account)
We've posted two conflicting answers to this question and I think that's indicative of how little the law is understood, only a few weeks from going into force.
Just because people on messageboards are posting different things, doesn't mean the law is unclear. GDPR Art 3 is relatively clear that it wouldn't apply just because an EU citizen is in the USA. Once that person is in the EU, then it applies.
Well I didn't necessarily say the law itself is unclear, just that the understanding of it as a whole seems to be unclear. Anecdotally, almost everyone I speak to at events seems to have different views on what they need to do. I'm in the EU.
