Hacker News new | past | comments | ask | show | jobs | submit login

If they’re not able to pay hundreds of euros per year to access the european market, they’re not likely making much money off the euro market... so what’s the problem?



Barrier to entry for indies.


It doesn't apply if you're only occasionally processing personal data or not doing so on a large scale.

If you're regularly processing personal data of EU citizens on a large scale then you damn better be doing so securely and in compliance with EU law.


Article 27 doesn't apply if the processing satisfies all of these requirements:

• it's only occasional,

• it does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and

• it is unlikely to result in a risk to the rights and freedoms of natural persons.

Most businesses don't have to worry about the second of those.

How about a risk to the rights and freedoms of natural persons? Recital 75 talks about that:

> The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

That's pretty broad. Note that the overall structure is an "or" of six clauses, and most of those clauses are "or"s of several different kinds of data. Unless this is interpreted very narrowly, most businesses that sell to Europeans online, even if only occasionally, will fall under it, and so Article 27 will apply to them.


Dunno. I am bootstrapping as single founder and the investment was basically

- 2 days to change the app code so only data necessary for the actual use case of the app is processed and stored - 1 day to formulate a GDPR privacy policy in my own words (what data is captured, how is it used, how is it stored, etc)

Unless your business is somehow is fundamentally at odds with GDPR (flashlight app to grab IDFAs and sell those) it doesn't really seem terrible. Especially so as it is in my own interest even without GDPR to minimize my risk surface in case I get hacked and user data is leaked.


It is quite likely that you're not fully compliant, esp wrt chapter 3.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: