[robinwarren]

Note, I think, you also need to be GDPR compliant for EU users when they are not in the EU. So I don't think IP blocking actually works for 100% of cases.

I would suggest not getting too hung up on this, it is showing you the worst outcome and assuming you have made a good effort to be compliant I should think things would be fine even then. No doubt you have Ts and Cs, that document is full of clauses put in place because of things like this, and any of them could probably result in a worse letter from a customer wanting to sue you over something. But I image also that hasn't happened to you yet either?

[jacquesm]

> I think, you also need to be GDPR compliant for EU users when they are not in the EU.

What you think does not align with my understanding of the GDPR, what makes you say this?

[robinwarren]

Fair enough, I did read this somewhere but it is obviously wrong now I check it out. Thanks!

[detaro]

> Note, I think, you also need to be GDPR compliant for EU users when they are not in the EU.

No, location is what matters. Of course one could argue if IP is a reliable indicator of location, given VPNs, potentially faulty GeoIP databases, ...

[bulatb]

Geoblocking EU users makes it fairly clear you don't intend to serve[0] them, at least in my opinion. If the only reason you could be in scope is offering your service in the Union, and you do your best to avoid that, you should probably be out of scope.

We'll see what the regulators think.

[0] From Recital 23: "[When deciding whether processing is in scope under Article 3(2)], it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union."

[detaro]

I'd agree with that. Someone somewhere is probably going to complain about an instance where it failed, but I honestly would be surprised if regulators made a big deal out of it.