GDPR outside of the EU

That is regulating EU based companies in the meaning they have to use same rules to everyone. Different thing than CDCK have to follow GDPR when an user from India will take a trip to Italy, but not when tht same users will take a tour to Scotland.

1 Like

Here is a summary guide for Iceland:


Law: Act 90/2018 on Privacy and Processing of Personal Data (‘the Act’) and the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)

Regulator: Icelandic data protection authority (‘Persónuvernd’)

Summary: Iceland is a European Economic Area (‘EEA’) member, but is not an EU Member State. The GDPR applies in the EEA by virtue of Decision No. 154/2018 of the EEA Joint Committee, and was implemented in Iceland by the Act. The transitional provisions of the Act state that all rules and regulations which have been issued under the old Law 77/2000 on the Protection of Privacy as Regards the Processing of Personal Data will continue to be valid as long as they do not infringe the Act and the GDPR. Persónuvernd is an active regulator that has issued several guidelines on the GDPR and data processing in Iceland.

Article #19

That is probably true for things like museum pass ID cards:

Thanks for this comment, my intention wasn’t to ask for legal advice but rather what is the law as it is written.

May want to consult with lawyers about terms and conditions that is probably wise to do that. All I can do now is just declare terms to the relevant governments directly.

If I read what you wrote correctly sounds like legal advice isn’t specifically prohibited here at meta, however that is definitely a risk for both the person asking and anyone who answers with statements that could be considered legal advice.

As in, if I say to a judge or jury: Jakke from Finland told me this, but what he wrote turns out to not be entirely true, Jakke might be in trouble for that.

There are specific laws with courthouse clerk office staff that they are absolutely prohibited from giving out any legal advice at all to anyone.

By the way the main community network for my town is being run by an administrator in Finland last I heard, so this would need to be in compliance with Finnish laws.

They use an old e-mail newsletter system that sends out about ten e-mails every morning with things people can post with their website, but nothing is published on the website to the public only sent out in the mail.

There may be some problems with their system last I’ve tried to create an account with them there is no response. It is possible that they may have banned me but if so I was never notified about that.

Lastly just to mention the reason I asked about this was not for the sake of wanting to retain any kind of information from people who want their accounts deleted or anonymized as long as they haven’t broken any laws with a web domain that is registered to me. I don’t have any reason to do that unless they are harassing people or causing other problems that I would need to forward information to cops/prosecuting attorneys if that became necessary for some reason, that is just worst case scenario.

If you want to find out what GDPR really says, the best place to go is the source -

There are also many sites who offer you a general summary of the meaning of the law. They can be found using a standard web search engine.

My interpretation of the status of legal advice from any random person (on Discourse or elsewhere) is ‘caveat emptor’ (let the buyer beware). If you are running a system that contains EU sensitive personal information then only you (or your company) is responsible for complying with the law. If you get bad advice and follow it, it’s your neck on the chopping block if it proves to be wrong. As an example, imagine being stopped by the police for driving at 100mph in a 30mph limit. What do you imagine their response will be if you say ‘random person X told me I was ok to drive that fast on this road’. It’s your responsibility to be sure that any advice you’re given is correct. If you have a contract with random person X where they are supposed to give you legal advice on GDPR then even that’s not a defence. You would still have to have at least checked that the person was qualified to provide that advice.

Before I retired I was a Cybersecurity Manager. I spent too many long hours with our in-house legal counsel and GDPR coordinator discussing the vagaries of the law. That taught me enough to know that it can’t be summarised in a few words, nor can it really be properly considered by an outsider who doesn’t know your system or the exact data that’s included in it or who can access the data and for what reasons.


That is a good metaphor with public roadway laws, I agree that is correct that would be no defense the way you explained that.

Laws can be really boring and confusing. I’ve met and talked with a few lawyers some but never paid for legal advice. Advice is a fairly limited thing, even if it’s an official letter with a stamp. More important is for completing legal processes with the courts sometimes lawyers are necessary for that.

More dramatic example with cars would be if a car rental place was giving out inaccurate information to customers, as in telling them to drive on the wrong side of the road, that would be different.

Thanks for posting a link to their official site, I hadn’t been able to find that earlier with search. This is a surprise it is stated there that the site is operated by Proton AG in Switzerland, a non EU country.

You should see the advice given on meta more in the realms of:

“beware, there exist speed limits on most roads and the police is actively monitoring”
“generally, you should keep right”
“in most EU countries, drunk driving on a bike is prohibited as well”


Sorry for straying further off topic but I was discussing genealogy with a friend earlier in the week. He told me that one of his great-uncles was taken to court twice for being drunk in charge of a donkey. To get back on topic, hopefully his criminal record is being protected by GDPR :joy:


This seems like a good topic to try a small experiment of including an AI summary in a post within the topic (though manually in this case :slight_smile:):

The discussion started with post 1 from Wombat asking if GDPR only applies to users in the EU. post 2 from Jagster clarified that GDPR regulates services/sites that have EU users, regardless of location.

Wombat then asked some follow up questions in post 3, noting their understanding that GDPR requires allowing user account deletion. Jagster responded in post 4 that anonymization is enough under GDPR, not full deletion.

The discussion explored details around GDPR’s territorial scope in posts 10-25, with RGJ and Jagster clarifying that physical presence in the EU determines applicability, not citizenship.

Wombat asked if the UK’s exit from the EU impacts GDPR there in post 16. Stephen explained in post 26 that the UK did implement GDPR-based laws in their 2018 Data Protection Act revision.

Jagster pointed out in post 27 that companies have to apply the same rules to all users equally. The discussion wrapped up with RGJ and packman warning about relying on informal GDPR advice in posts 32-36.

Summarized with AI on 16 Sep

I think the post numbers are sightly off due to some post merges, and it didn’t include the donkey, but here it is. :slight_smile:

Probably also worth repeating the earlier note about getting legal advice:


Can anyone spot the mistake A.I. made in that summary? There is at least one mistake in that I can spot.

Am working on drafts for terms think this will work:

All information that is not posted publicly on the forum will be held as confidential by company administration, unless by court order to cooperate with a lawful court process. Accounts may be deleted or anonymized by request. By GDPR law no personal information may be retained if account deletion is requested, however administration does have the right to anonymize rather than fully delete accounts, which will maintain public comments as permanent record.

If your company needs to comply with GDPR for your Discourse system then you really do need to seek some expert legal advice. Having a ToS statement about erasure is a very small part of compliance.

You would also need to identify your data subjects, what personal information you hold about them, where the data comes from and where it goes to, how you process/use the personal data you hold and have formal procedures to describe how you comply with all the applicable aspects of the regulations.

There’s probably more but my brain has blocked a lot of the painful details out in the 4+ years since I was last involved in this stuff.


Will seek out some lawyers to help with this, thanks.

When I first setup new forum with discourse hosting this came with general legal terms of service documentation that seemed like a good place to start, so have been reading through/editing some of that.

Don’t have budget for hiring any lawyers now but would definitely be a good idea to have official legal documents reviewed by folks with law degrees. May do post in marketplace category here once I have some budget for that and for website development. This thread could be closed original question was answered awhile ago.

This is what I believe is a mistake in the A.I. summary, my interpretation of what Jagster stated is that GDPR does indeed require user accounts must be fully deleted if that is requested by an account holder, however that is in question of not necessarily being entirely true.

It could be a mater of interpretation, to anonymize a forum account could be considered a form of account deletion.

Believe there are some laws about maintaining some records of accounts, as it would be a risk to enable full account self-deletion if accounts are being used for any kind of a nefarious purpose.

Anyway good talk thanks everyone.

This may be better as a different topic thread but is somewhat related to the GDPR:

For a situation in which an individual is being disruptive to a forum community and has been banned, but wants to create a new account.

Easy for them to set up a new e-mail address and get a new I.P. address, either by using a library computer, new internet provider, or masking their address with a vpn/tor network.

With discourse there would be no way to know that the new user account is created by a previously banned individual, unless it is obvious in the way they talk.

If a forum has a paywall, some personal information is collected with payment by a card or other means, usually the first and last legal name of an individual. That could be required just by forum policy even without a paywall.

So then if an administrator has evidence that this is the same person trying to create a new dummy account after they have been notified that they are permanently banned from a domain, charges could be filed in court for that, either for harassment or intent to sabotage communication systems.

GDPR may be relevant in what documentation can be maintained for accounts, it was mentioned that even asking for a government issued ID may be unlawful, let alone keeping records of that not just to verify someone’s identity.

The card payment processor stripe asked me not only for ID but also to take a selfie picture holding both my ID and a handwritten note with the day’s date, that was difficult. This was only when I didn’t have access to my account e-mail that is the only way to change e-mail for login without password with their security policy.

Anyway then lawyer question I can ask lawyers is about how to write formal legal notices those are important.

I think if you require government ID to be provided to create an account then you’re going to have a vanishingly small number of users. I know that would completely put me off attempting to join a forum - I’m not providing my ID to an unknown person/group of people. A more important question might be “How will you prove who you are to me so that I can be sure you’ll handle my ID securely if I did think of giving it to you?”

If you did convince me to provide ID then I’m pretty sure you’re in GDPR territory.

Disruptive users are unfortunately a fact of life. I’ve been lucky in only having to ban a handful of users in over 20 years of running a forum, but there’s no ‘standard’ for a disruptive user. There are three I remember…

  1. One got himself banned and accepted the ban by staying away. Years later he asked if he’d be allowed back in if he promised to behave. He was allowed to rejoin, but eventually got into an argument with someone that started to get disruptive. He deleted his own account without being banned or even asked to go.

  2. Another got himself banned, but sneaked back in with other details We discovered this years after he rejoined and he’d been a model forum citizen after rejoining.

  3. The third one I can think of wasn’t happy with being banned (most other users were!) and he rejoined with other details on multiple occasions. The problem with rejoining to be disruptive means that you soon put your head above the parapet which makes you an easy target for another ban. He got bored after rejoining about 5 or 6 times and has never been seen since. The thing about this type of user is that it doesn’t matter if it’s the same person…if someone breaks your policies in a way that requires a ban then you ban them whether it’s the same person or not.


Right, I don’t have plans to do that especially since it’s unlawful for some reason. Sorry that was a confusing last post I wrote talking about two different things.

This is a great story about your friend’s great uncle with the donkey! It is annoying how I have to show ID just to buy a Guinness.

Probably don’t need to be too concerned with the GDPR for now, while my forum is open to E.U. countries I don’t have any reason to ask legal names or anything else, unless someone lost access to their account and they were requesting I change the account e-mail from administrator side.

Governments are a lot different out here on the west coast, the new ones haven’t even been established for 200 years!

The native tribes have independent governments and court systems, hope to work with them for housing projects there are a lot of refugees who need shelter.

The regulations are completely different for companies as opposed to people, I can’t be anonymous at all anymore.

Stripe Terminal is still in beta in many E.U. countries:

This is a great difficult lawyer question!

Again I’m not asking anyone for an ID card, can’t think of a reason for that other than to make sure someone has a driver license before driving a truck.

Washington State business licenses can be verified by the public with their department of revenue website search (also by law business licenses have to be posted publicly at business locations):

On the topic of ID cards, Dutch student ID from the UVA is maintained as permanent property of the school and they pay postal fees for these to be returned by mail if they are found by or given to a postal service. (postzegel niet nodig)