[cyphar]

> Slack is an American company, GDPR is a EU law and OP is Iranian. That’s not how this works... Sure companies that operate within the EU have created tools to export your data automatically (they still have contact points to request the same data if you don’t have an account or were banned so can’t use the automated tools) so they opened those tools up to everyone not just those within the EU. But that doesn’t mean you are covered by the EU law and can demand your data. Only thing I would suggest is to lookup the GDPR email for slack and manually request the data. Though I wouldn’t expect anything.

Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction. Examples include Apple and Google (headquartered in Ireland) and Amazon (headquartered in Luxembourg).

A quick search found that Slack is actually headquartered in America. But if they are dealing with the EU market then they very likely need to have an EU subsidiary (and looking again they have a Dublin office and so are likely incorporated in Ireland). However, GDPR only applies to EU/EEA residents -- so you can't just send a GDPR request if you are not resident within EU/EEA.

[Crosseye_Jack]

> Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction.

None of this matters to the GDPR. The GDPR targets companies “doing business” with EEA/EU residents no matter where the company is actually located. Even if you are a solely US company, if you are accepting orders from EU/EEA residents you have to be able to process GRPR requests. Think of it as a cost of doing business in that area. If you don’t want to do that, the. You are free to no longer process any EU/EEA residents data (some websites, the LA Times is one example iirc just completely lock EU IP’s because of this).

When it gets “merky” is defining that “doing business”.

Sure accepting payments and offering a service is clearly covered. But what if you ad supported. Are you doing business because you are exchanging access to your site for ad impressions which you get paid for? Who is processing that data? You or if the ad network one of your business partners who you have offloaded a task too? (Which is why domes of people/companies/ad men were shouting that the end was nigh before it came into force.)

But yeah as I said to you in another comment. Even if they were allowed to do business in Iran, the GDPR wouldn’t come into play here as they are not in the EU.

If they had any team members in the EU, they could try that route.

[arjmandi]

My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!

[emerongi]

Any EU citizen is protected by GDPR if the company is doing business in EU. Doesn't matter where the HQ is.

[cyphar]

Any EU/EEA resident, but that wasn't my point.

One of the biggest things people bring up against the GDPR is "how will the EU punish companies outside of their jurisdiction". The answer is that most "American" companies actually use EU tax breaks and thus can most definitely be punished by the EU.

Also, the user was based in Iran. He doesn't have relevant rights under the GDPR.