There is nothing in the GDPR about citizenship. GDPR applies to "data subjects who are in the Union" Art 3(2). So it is the physical location of the person that matters. As a US citizen, if you travel to an EU country on vacation then the GDPR applies to you while you are there.
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
If it is physical location, that is something you cannot possibly know for a user, due to VPNs. You might know that a person is logged in and registered with a US address, but you don't know if they are traveling (they might even VPN via the US because it is convenient for work).
So I guess you need to assume this applies for all visitors.
No, it covers companies and individuals operating within GDPR jurisdiction. A US company that trades in the EU is subject to the GDPR. This is no different from applying the UK Trades Descriptions Act to US companies that advertise in the UK.
k1w1|3 years ago
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
quickthrower2|3 years ago
So I guess you need to assume this applies for all visitors.
quickthrower2|3 years ago
denton-scratch|3 years ago
denton-scratch|3 years ago