GDPR outside of the EU

Here is now four (at least) different things going on.

Yes, if you have users from EU you as an afmin/owner must follow GDPR.

if you don’t have have EU-users, but you are using european companies for mail or hosting you don`t need to follow GDPR, but those companie must follow GDPR even you are not from/at EU.

No, GDPR is not forcing destroying posts and comments. Anonymizati9n is enough. And no, you don’t need to edit backups, but you may store backups only as long it is absolut necessary. So, don’t harvest your one or five years old backups and trying to claim it is ok :stuck_out_tongue_closed_eyes:

GDPR regulates personal data. What and how you can or cannot ask, store and use, for what and how long. CDCK can store my IP (it is still not sensitive personal data that can identify me) and they can even ask my name and country. But street address is regulated piece of information and asking me send copy of passport or driving licence is in most of cases real big no-no.

And I’m a little bit sorry to say this at loud, but american services, and with service I mean admins, are really big and greedy issue from european point of view. Spamming in the name of marketing and sales using solution that tries follow every action a person does is very american way. And how darn strongly americans are pro-independent and my-home-is-my-castle I’ve kept that allways very interesting.

Yes. Now I’m totally off topic, again. And no, by design Discourse is not build to break people’s virtual personal space. Discourse is actually more or less like Mastodon for example and is planned to work decently responsible way. And anonymization is one part of that (and automatic deletion after wanted timeframe if there is no logins; that is actually worth of praise, because B2B customers of CDCK needs that).

GDPR is matter of personal data that can be used to identify individuals. It has nothing to do with topics and comments per se.


Thanks for writing, that is some helpful info.

Some American companies certainly are big and greedy, but most of these were created by Europeans of course.

The Dutch East India trading company is the worst.

My site is mainly for people who don’t have street addresses, but those are required for building permits in both the U.S. and Canada.

Except for manufacturing houses that can be moved on trucks/ships, that is my plan to build those and then sell, once they are sold people can register them with a permanent address but that is optional.

Anyway back to the GDPR, it sounds like this notice I quoted from a different site with a forum might technically be a violation, however that would be a lawyer question they would need to pay for.

Last thing I’ll mention for that is it is specifically about questions that are written in to be read out loud and answered, some laws may be different with spoken as opposed to written words.

In the U.S. there is the Federal Trade Commission, this is the closest thing to the GDPR I know of in America. Similar intent to “Protect American Consumers,” as the GDPR is to protect people in Europe, however don’t believe they would offer help to people who aren’t E.U. citizens.

Trying to find where they have policy posted in regards to forums not sure where that is at. I believe there are requirements against personal information being in forum posts, especially if site administrators won’t delete those upon request.

The FBI department that would enforce that is this one:

  • GDPR applies to people who are in the EU. If you’re not physically within the EU then the GDPR does not apply to you.
  • FWIW Switzerland is not an EU country.

Thanks for your reply, I didn’t know Switzerland isn’t a member of the E.U.

The U.K. as well I believe is no longer a member?

The Brexit vote happened when I was a student at the university of amsterdam, they have a partnership with u.w. so I have a dutch student ID however that has expired.

Last question then is if one must be a citizen of an E.U. country to qualify.

No. But an user must live and have address in EU.

So, if your non-EU-member is saved lifelong vacation days to take a 2 weeks trip to Paris you don’t need to follow GDPR.

That means you can harvest and save what ever personal info, use opt-out spam-memberships and you don’t need consent for anything. And all of that in the meaning EU doesn’t care.

Actually… what are you afraid of GDPR? If you will handle data as you should and respecting users’ basic privacy, telling what are you storing and how long, keeping transparency and openess, you would follow GDPR. And then you don’t need to wonder who, where and why.

UK still has GDPR style regulation. So ad admins/companies we can’t opt-in or follow as we like. And AFAIK Switzerland follows GDPR-regulation, as does Norway for sure, even they aren’t in EU either.

1 Like

At that time you were protected by GDPR.

I’m not afraid of the gdpr, just wasn’t clear about what their policies are.

Keep in mind, legal advice on a forum is somewhat risky. As far as I know, none of the people who replied here are lawyers and nobody is offering stamped legal advice.

I recommend you consult with a lawyer to answer GDPR jurisdiction nuance.


Even more broad: the user must be in the EU. It’s not a requirement to be a resident.

Article 3.2

This Regulation applies to the processing of personal data of data subjects who are in the Union

Well, that’s a bit unclear, but luckily Recital 14 clarifies it a bit:

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.

But that could still be ambiguous so there is an additional guideline, which is very explicit, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) section 2.a

The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed.
While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), (…) that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place

So the US citizen who is in vacation in Paris is subject to the GDPR during their stay - as far as it concerns services which were initiated during their stay. Their existing USA cell phone contract is not suddenly subject to the GDPR.

1 Like

The U.S. T-mobile has service in Europe but I got a notification from them after two months that this is limited for short-term service only, not any more than 2 or 3 months in the euro-zone.

That does not sound GDPR related to me.


Well it may not be, I was just responding to your statement that a U.S. cell phone contract would not be subject to the gdpr for someone traveling to France or a different country in Europe.

That is a contradiction to earlier statements by others that any service offered in Europe is indeed subject to the gdpr.

However key of where service is initiated, if that is in Europe or not.

It could be T-Mobile and/or other u.s. carriers have specific contracts that are limited by the gdpr or other regulations that they can only offer service in Europe for a limited number of days.

Is helpful to have a local phone number with the country code where someone is traveling to avoid international calling.

Anyway I’m not asking anyone for legal advise never mind.

Emphasis mine, from the same document I linked before.

The EDPB considers however that, in relation to processing activities related to the offer of services, the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR. In this case the processing is not related to the intentional targeting of individuals in the EU but relates to the targeting of individuals outside the EU which will continue whether they remain outside the EU or whether they visit the Union

It’s not, and speculating won’t help a discussion.


They aren’t, but the UK government did implement their laws based on GDPR in a 2018 revision to the Data Protection Act:

The Data Protection Act

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)
  • profiling, for example to predict your behaviour or interests


Remember that when the EU passed the GDPR, each member country had to distill the regulations down into their own local laws. Leaving the EU doesn’t eliminate those.


That is regulating EU based companies in the meaning they have to use same rules to everyone. Different thing than CDCK have to follow GDPR when an user from India will take a trip to Italy, but not when tht same users will take a tour to Scotland.

1 Like

Here is a summary guide for Iceland:


Law: Act 90/2018 on Privacy and Processing of Personal Data (‘the Act’) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)

Regulator: Icelandic data protection authority (‘Persónuvernd’)

Summary: Iceland is a European Economic Area (‘EEA’) member, but is not an EU Member State. The GDPR applies in the EEA by virtue of Decision No. 154/2018 of the EEA Joint Committee, and was implemented in Iceland by the Act. The transitional provisions of the Act state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe the Act and the GDPR. Persónuvernd is an active regulator that has issued several guidelines on the GDPR and data processing in Iceland.

Article #19

That is probably true for things like museum pass ID cards:

Thanks for this comment, my intention wasn’t to ask for legal advice but rather what is the law as it is written.

May want to consult with lawyers about terms and conditions that is probably wise to do that. All I can do now is just declare terms to the relevant governments directly.

If I read what you wrote correctly sounds like legal advice isn’t specifically prohibited here at meta, however that is definitely a risk for both the person asking and anyone who answers with statements that could be considered legal advice.

As in, if I say to a judge or jury: Jakke from Finland told me this, but what he wrote turns out to not be entirely true, Jakke might be in trouble for that.

There are specific laws with courthouse clerk office staff that they are absolutely prohibited from giving out any legal advice at all to anyone.