GDPR outside of the EU

Even more broad: the user must be in the EU. It’s not a requirement to be a resident.

Article 3.2

This Regulation applies to the processing of personal data of data subjects who are in the Union

Well, that’s a bit unclear, but luckily Recital 14 clarifies it a bit:

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.

But that could still be ambiguous so there is an additional guideline, which is very explicit, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) section 2.a

The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed.
While the location of the data subject in the territory of the Union is a determining factor for the application of the targeting criterion as per Article 3(2), (…) that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place

So the US citizen who is in vacation in Paris is subject to the GDPR during their stay - as far as it concerns services which were initiated during their stay. Their existing USA cell phone contract is not suddenly subject to the GDPR.

1 Like

The U.S. T-mobile has service in Europe but I got a notification from them after two months that this is limited for short-term service only, not any more than 2 or 3 months in the euro-zone.

That does not sound GDPR related to me.


Well it may not be, I was just responding to your statement that a U.S. cell phone contract would not be subject to the gdpr for someone traveling to France or a different country in Europe.

That is a contradiction to earlier statements by others that any service offered in Europe is indeed subject to the gdpr.

However key of where service is initiated, if that is in Europe or not.

It could be T-Mobile and/or other u.s. carriers have specific contracts that are limited by the gdpr or other regulations that they can only offer service in Europe for a limited number of days.

Is helpful to have a local phone number with the country code where someone is traveling to avoid international calling.

Anyway I’m not asking anyone for legal advise never mind.

Emphasis mine, from the same document I linked before.

The EDPB considers however that, in relation to processing activities related to the offer of services, the provision is aimed at activities that intentionally, rather than inadvertently or incidentally, target individuals in the EU. Consequently, if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR. In this case the processing is not related to the intentional targeting of individuals in the EU but relates to the targeting of individuals outside the EU which will continue whether they remain outside the EU or whether they visit the Union

It’s not, and speculating won’t help a discussion.


They aren’t, but the UK government did implement their laws based on GDPR in a 2018 revision to the Data Protection Act:

The Data Protection Act

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)
  • profiling, for example to predict your behaviour or interests


Remember that when the EU passed the GDPR, each member country had to distill the regulations down into their own local laws. Leaving the EU doesn’t eliminate those.


That is regulating EU based companies in the meaning they have to use same rules to everyone. Different thing than CDCK have to follow GDPR when an user from India will take a trip to Italy, but not when tht same users will take a tour to Scotland.

1 Like

Here is a summary guide for Iceland:


Law: Act 90/2018 on Privacy and Processing of Personal Data (‘the Act’) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)

Regulator: Icelandic data protection authority (‘Persónuvernd’)

Summary: Iceland is a European Economic Area (‘EEA’) member, but is not an EU Member State. The GDPR applies in the EEA by virtue of Decision No. 154/2018 of the EEA Joint Committee, and was implemented in Iceland by the Act. The transitional provisions of the Act state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe the Act and the GDPR. Persónuvernd is an active regulator that has issued several guidelines on the GDPR and data processing in Iceland.

Article #19

That is probably true for things like museum pass ID cards:

Thanks for this comment, my intention wasn’t to ask for legal advice but rather what is the law as it is written.

May want to consult with lawyers about terms and conditions that is probably wise to do that. All I can do now is just declare terms to the relevant governments directly.

If I read what you wrote correctly sounds like legal advice isn’t specifically prohibited here at meta, however that is definitely a risk for both the person asking and anyone who answers with statements that could be considered legal advice.

As in, if I say to a judge or jury: Jakke from Finland told me this, but what he wrote turns out to not be entirely true, Jakke might be in trouble for that.

There are specific laws with courthouse clerk office staff that they are absolutely prohibited from giving out any legal advice at all to anyone.

By the way the main community network for my town is being run by an administrator in Finland last I heard, so this would need to be in compliance with Finnish laws.

They use an old e-mail newsletter system that sends out about ten e-mails every morning with things people can post with their website, but nothing is published on the website to the public only sent out in the mail.

There may be some problems with their system last I’ve tried to create an account with them there is no response. It is possible that they may have banned me but if so I was never notified about that.

Lastly just to mention the reason I asked about this was not for the sake of wanting to retain any kind of information from people who want their accounts deleted or anonymized as long as they haven’t broken any laws with a web domain that is registered to me. I don’t have any reason to do that unless they are harassing people or causing other problems that I would need to forward information to cops/prosecuting attorneys if that became necessary for some reason, that is just worst case scenario.

If you want to find out what GDPR really says, the best place to go is the source -

There are also many sites who offer you a general summary of the meaning of the law. They can be found using a standard web search engine.

My interpretation of the status of legal advice from any random person (on Discourse or elsewhere) is ‘caveat emptor’ (let the buyer beware). If you are running a system that contains EU sensitive personal information then only you (or your company) is responsible for complying with the law. If you get bad advice and follow it, it’s your neck on the chopping block if it proves to be wrong. As an example, imagine being stopped by the police for driving at 100mph in a 30mph limit. What do you imagine their response will be if you say ‘random person X told me I was ok to drive that fast on this road’. It’s your responsibility to be sure that any advice you’re given is correct. If you have a contract with random person X where they are supposed to give you legal advice on GDPR then even that’s not a defence. You would still have to have at least checked that the person was qualified to provide that advice.

Before I retired I was a Cybersecurity Manager. I spent too many long hours with our in-house legal counsel and GDPR coordinator discussing the vagaries of the law. That taught me enough to know that it can’t be summarised in a few words, nor can it really be properly considered by an outsider who doesn’t know your system or the exact data that’s included in it or who can access the data and for what reasons.


That is a good metaphor with public roadway laws, I agree that is correct that would be no defense the way you explained that.

Laws can be really boring and confusing. I’ve met and talked with a few lawyers some but never paid for legal advice. Advice is a fairly limited thing, even if it’s an official letter with a stamp. More important is for completing legal processes with the courts sometimes lawyers are necessary for that.

More dramatic example with cars would be if a car rental place was giving out inaccurate information to customers, as in telling them to drive on the wrong side of the road, that would be different.

Thanks for posting a link to their official site, I hadn’t been able to find that earlier with search. This is a surprise it is stated there that the site is operated by Proton AG in Switzerland, a non EU country.

You should see the advice given on meta more in the realms of:

“beware, there exist speed limits on most roads and the police is actively monitoring”
“generally, you should keep right”
“in most EU countries, drunk driving on a bike is prohibited as well”


Sorry for straying further off topic but I was discussing genealogy with a friend earlier in the week. He told me that one of his great-uncles was taken to court twice for being drunk in charge of a donkey. To get back on topic, hopefully his criminal record is being protected by GDPR :joy:


This seems like a good topic to try a small experiment of including an AI summary in a post within the topic (though manually in this case :slight_smile:):

The discussion started with post 1 from Wombat asking if GDPR only applies to users in the EU. post 2 from Jagster clarified that GDPR regulates services/sites that have EU users, regardless of location.

Wombat then asked some follow up questions in post 3, noting their understanding that GDPR requires allowing user account deletion. Jagster responded in post 4 that anonymization is enough under GDPR, not full deletion.

The discussion explored details around GDPR’s territorial scope in posts 10-25, with RGJ and Jagster clarifying that physical presence in the EU determines applicability, not citizenship.

Wombat asked if the UK’s exit from the EU impacts GDPR there in post 16. Stephen explained in post 26 that the UK did implement GDPR-based laws in their 2018 Data Protection Act revision.

Jagster pointed out in post 27 that companies have to apply the same rules to all users equally. The discussion wrapped up with RGJ and packman warning about relying on informal GDPR advice in posts 32-36.

Summarized with AI on 16 Sep

I think the post numbers are sightly off due to some post merges, and it didn’t include the donkey, but here it is. :slight_smile:

Probably also worth repeating the earlier note about getting legal advice:


Can anyone spot the mistake A.I. made in that summary? There is at least one mistake in that I can spot.

Am working on drafts for terms think this will work:

All information that is not posted publicly on the forum will be held as confidential by company administration, unless by court order to cooperate with a lawful court process. Accounts may be deleted or anonymized by request. By GDPR law no personal information may be retained if account deletion is requested, however administration does have the right to anonymize rather than fully delete accounts, which will maintain public comments as permanent record.

If your company needs to comply with GDPR for your Discourse system then you really do need to seek some expert legal advice. Having a ToS statement about erasure is a very small part of compliance.

You would also need to identify your data subjects, what personal information you hold about them, where the data comes from and where it goes to, how you process/use the personal data you hold and have formal procedures to describe how you comply with all the applicable aspects of the regulations.

There’s probably more but my brain has blocked a lot of the painful details out in the 4+ years since I was last involved in this stuff.


Will seek out some lawyers to help with this, thanks.

When I first setup new forum with discourse hosting this came with general legal terms of service documentation that seemed like a good place to start, so have been reading through/editing some of that.

Don’t have budget for hiring any lawyers now but would definitely be a good idea to have official legal documents reviewed by folks with law degrees. May do post in marketplace category here once I have some budget for that and for website development. This thread could be closed original question was answered awhile ago.