[TomasEkeli]

It's not their money, it's if you store or process personal data about individuals in the European Economic Area (slightly larger than the EU).

If you're running a Chinese site aimed at Chinese you're good.

If you're running an Indonesian site aimed at Germans you need to honour the GDPR.

[xxs]

You don't need any personal data to conduct most of the business.

I work in a place that would be beyond heavily affected by GDPR and I find the legislation a good change as companies should not hoard data they don't need - just in case... or just to sell.

[Shoothe]

Wouldn't you need personal data to accept payments? Or maybe a broker (like Stripe) would store these and the end business just a reference to payment.

[xxs]

You can get external ref to payment providers. Depending on the business you might need KYC and anti laundering procedures and then it's harder.

However if you have some direct business and do accept payments - by all means make it secure and transparent to your customers.

[smu]

In lawyers terms: a payment apparently is just a contract. So you can store the data needed for the payment under that legal basis.

IANAL

[x0x0]

Probably... not really? Maybe?

For starters, if you don't take payment and aren't in the EU, EU enforcement power is going to be extraordinarily limited. And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

I think the GDPR was basically aimed at some of the scummier adtech practices and businesses like Facebook, and for those, it will be very enforceable.

[doikor]

> And even if you do require payment, if you don't have a physical nexus in the EU, it's unclear what exactly the EU can do?

You need an EU VAT ID to accepts payments from EU citizens. So they will revoke that and then you can't accept payments from EU.

[tatersolid]

> You need an EU VAT ID to accepts payments from EU citizens.

This was mentioned before: No, you don’t.

Millions of business around the world accept transactions from EU citizens every day without collecting any VAT or having any relationship with the EU.

[yetanother1980]

Why are you storing and processing their data if not for profit?

[x0x0]

personal data in the GDPR has a very expansive definition, and definitely includes things like IP. Processing likewise has an expansive definition, including collection and recording. Lots of sites will be processing and storing this data for internal analytics.

[guitarbill]

> Lots of sites will be processing and storing this data for internal analytics.

Just because you can doesn't mean you should. And not asking that questions has got us where we are today.

[yetanother1980]

Did your customers consent to what is effectively someone following them round the store with a clipboard?

[bjl]

So just don't do internal analytics. Or, if you feel you must, ask consent first. Easy peasy.