Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not all organisations will need to be compliant with GDPR. By that I mean, if your organisation only do marketing in, for example, the US and Canada, only accepts USD/CAD and they are no legitimate appearance that you do/want to do business in Europe, you are not required to be GDPR compliant, even if an european customer goes on your website and purchases a product/service.

If your website accepts Euros, has multiple european languages (e.g. spanish, german, etc.), you do marketing in Europe, then we can conclude that you legitimely do business in Europe, you are then required to be GDPR compliant. This is indicated in one of the GDPR article (can't remember which one)

Edit: fix typos



This are all limitation/qualification upon whether you qualify as providing goods/services.

Yet, that is only one of two reasons why you would be subject to GDPR, the other is "the monitoring of their behaviour as far as their behaviour takes place within the Union".

As far as I can tell, logging a european IP address together with urls (i.e. an access log like every server has) would qualify you even if you aren't doing business there.


Is that interpretation or is there actually language to this effect in the regulations?


I found this (which is not official or legal advice but does quote the regulation): https://www.gdpreu.org/the-regulation/who-must-comply/


Not quite. GDPR applies to you, a US entity, if you do business with an EU citizen trading in dollars living in the US.


"[...]Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

Quote from GDPR, page 5, recital 23 (http://www.privacy-regulation.eu/en/recital-23-GDPR.htm). I'm no lawyer, but that's the way I'm understanding it.


So what, English and French? Those are the two major languages of the union, but are also the two official languages of canada. Seems like you can easily get hamstrung on a technicality.


Those are factors, not hard and fast rules. If you are a Canadian company and you provide services in English and French, that alone wouldn't indicate that you are targeting EU users. There would need to be other factors indicating your intent to target EU users.


GDPR may state that it applies. Good luck to the EU in enforcing it, though.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: