[ascar]

The difference here is any (european) person on the internet that finds a website can put a significant burden on you. Even if it's not a business, but just a personal homepage, blog or small non-profit website of your favorite hometown sports club. Especially if they have an internal member area on their website.

Even worse in Germany, we have something called "Abmahnung" (https://de.wikipedia.org/wiki/Abmahnung). Every lawyer can send you a letter telling you to follow the law and request payment from you for the "service" of telling you that. This can be several hundred euros and you can then decide to go to court (and lose if they were right) or pay them. German law firms can pick up non-GDPR compliant websites using crawlers (e.g. just identifying pages without privacy policies accessible, is a simple one) and fine exactly the persons that are not targeted by the GDPR. It's absurd and it has nothing to do with these people doing any kind of damage.

It would be similar if you had to to put your workspace policy and data proving your fulfillment of workspace regulations up in the internet, so any single lawyer can check them and send you a bill, if they find something wrong. This can't be the right way to go for private websites, small non-profits and even small businesses. It's just insane.

Edit in response to the comment below as I can't reply for whatever reason: Multiple legal help pages about the German law say that you can get an "Abmahnung" even without proving that there is a client that is a competitor. E.g. here https://www.datenschutz.org/datenschutzerklaerung-website/#d... "Seit Anfang 2016 können nicht nur Mitwerber, sondern auch Verbraucherschutzverbände Abmahnungen wegen fehlender Datenschutzerklärungen versenden. Das bedeutet, dass diese Option nicht allein gewerbliche Websites treffen kann." It's limited to Verbraucherschutzverbände (probably translatable as customer protection agencies), so the risk for a private page is close to zero based on this, but I'm not a lawyer, I don't know what exactly changed here through GDPR/DSGVO and you still basically have to consult a lawyer to be on the safe side.

[Tomte]

That‘s FUD.

The lawyer would need to show that there is (a) a client and that this client is (b) a competitor of the target.

For your personal page that‘s next to impossible.