It says it applies to the “...processing of personal data of data subjects who are in the Union…”.
If someone in the EU (say a visitor) asks to have their data removed that was collected while they were outside the EU, then the controller or processor is supposed to comply.
How is any business supposed to know if a user while they were in the USA of a service located in the USA will not later travel to the EU and make a data removal request while there? If the request comes from someone located in the EU then the regulations apply.
The practical result is you can’t just geo ban people from the EU and this is before we get to the problem of proxies.
You're leaving off the end of the sentence. Data collected about someone outside of the EU is not covered by GDPR even if they later enter the EU.
> where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.
There is an “or” not an “and” between these two clauses. It applies if you offer any goods or service, OR monitor behaviour inside the EU.
It is interesting that the monitoring clause only applied if the subject is inside the EU when the monitoring is done, while the service or goods clause applies if the person is inside the EU with no requirement that the service or good was acquire or used within the EU. I can’t really think of any logical reason for this distinction. The “takes place within the Union” for one and not the other is strange.
No they don't. The first is limited to subjects in the EU while the second is limited to activity in EU. If the first clause was limited to activities that take place within the EU the clause would say this - actually there would be no need for two clauses as you would just have one clause that says sale, service and monitoring.
It clearly says offering goods and services to subjects in the Union. It only applies if they are in the Union when you are offering them goods or services. If you offer them goods or services outside of the Union and they later enter the Union, you didn't offer goods to someone in the Union, so GDPR doesn't apply.
If you offered them a service and they are in the EU then it is covered. There is no location exemption that this clause only applies when the service was offered when they are in the EU unlike the monitoring clause. Why do you think they broke this out into two separate clauses?
If you get a request from someone in the EU to remove their data you have to comply no matter where or when the data about them was acquired. The clause is quite clear on this point and it why it is written differently to the clause about monitoring.
If someone in the EU (say a visitor) asks to have their data removed that was collected while they were outside the EU, then the controller or processor is supposed to comply.
How is any business supposed to know if a user while they were in the USA of a service located in the USA will not later travel to the EU and make a data removal request while there? If the request comes from someone located in the EU then the regulations apply.
The practical result is you can’t just geo ban people from the EU and this is before we get to the problem of proxies.