Comment by solar-ice
3 years ago
At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.
Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?
You can find the scope of the GDPR in Article 3 of the GDPR: https://gdpr-info.eu/art-3-gdpr/
Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.
GDPR covers EU citizens. I don't think it says anything about non-EU citizens.
There is nothing in the GDPR about citizenship. GDPR applies to "data subjects who are in the Union" Art 3(2). So it is the physical location of the person that matters. As a US citizen, if you travel to an EU country on vacation then the GDPR applies to you while you are there.
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
2 replies →
Which is nebulous: someone whose grandad was Italian living their whole life in the US might be a defacto EU citizen.
1 reply →
No, it covers companies and individuals operating within GDPR jurisdiction. A US company that trades in the EU is subject to the GDPR. This is no different from applying the UK Trades Descriptions Act to US companies that advertise in the UK.