Comment by minsc_and_boo
3 years ago
Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?
3 years ago
Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?
You can find the scope of the GDPR in Article 3 of the GDPR: https://gdpr-info.eu/art-3-gdpr/
Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.
GDPR covers EU citizens. I don't think it says anything about non-EU citizens.
There is nothing in the GDPR about citizenship. GDPR applies to "data subjects who are in the Union" Art 3(2). So it is the physical location of the person that matters. As a US citizen, if you travel to an EU country on vacation then the GDPR applies to you while you are there.
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
If it is physical location, that is something you cannot possibly know for a user, due to VPNs. You might know that a person is logged in and registered with a US address, but you don't know if they are traveling (they might even VPN via the US because it is convenient for work).
So I guess you need to assume this applies for all visitors.
1 reply →
Which is nebulous: someone whose grandad was Italian living their whole life in the US might be a defacto EU citizen.
No such thing as a de facto citizen; a de facto citizen is also known as a refugee.
No, it covers companies and individuals operating within GDPR jurisdiction. A US company that trades in the EU is subject to the GDPR. This is no different from applying the UK Trades Descriptions Act to US companies that advertise in the UK.