> The only time I've seen it be a problem for people is when they are playing fast and loose with people's data.
For sites not in the EU, see Article 27.
If you are not in the EU, and you processes personal data of people in the EU, and the processing is related to offering goods or services to those people (regardless of whether payment is required), Article 27 requires you to have a representative intheUnion.
Note: do not mix this representative up with the Data Protection Officer, which may be required by Article 37. DPOs are generally only required for pretty big data processors, and if you are required to have a DPO there is no geographic limitation on where they can be.
Article 27 doesn't apply if the processing is only occasional and doesn't involve certain especially sensitive categories, but it is not at all clear what counts as more than occasional.
Note: common system logs, such as Apache logs, include personal data (IP addresses). Logging such data is probably not a violation of GDPR, but that doesn't make it no longer count as personal data. It still counts and so you still have to follow the rules for sites that processes personal data.
It also won't apply if goods or services aren't being offered to people in the Union, but that too is unclear. You site merely being accessible from in the EU is not sufficient, but it is not clear what beyond that counts.
There is no need to be playing fast and loose with data to be totally unsure if Article 27 applies to you or not.
For sites not in the EU, see Article 27.
If you are not in the EU, and you processes personal data of people in the EU, and the processing is related to offering goods or services to those people (regardless of whether payment is required), Article 27 requires you to have a representative in the Union.
Note: do not mix this representative up with the Data Protection Officer, which may be required by Article 37. DPOs are generally only required for pretty big data processors, and if you are required to have a DPO there is no geographic limitation on where they can be.
Article 27 doesn't apply if the processing is only occasional and doesn't involve certain especially sensitive categories, but it is not at all clear what counts as more than occasional.
Note: common system logs, such as Apache logs, include personal data (IP addresses). Logging such data is probably not a violation of GDPR, but that doesn't make it no longer count as personal data. It still counts and so you still have to follow the rules for sites that processes personal data.
It also won't apply if goods or services aren't being offered to people in the Union, but that too is unclear. You site merely being accessible from in the EU is not sufficient, but it is not clear what beyond that counts.
There is no need to be playing fast and loose with data to be totally unsure if Article 27 applies to you or not.