[cyphar]

> I mean an Iranian company using American products and expecting EU protection?! None of it makes any sense.

It should be noted that Slack has an office in Dublin so it very likely has an Irish subsidiary (just like Apple, Google, and half of the tech industry so they can avoid taxes) and thus is subject to EU requirements. The GDPR applies to them, and since they have an EU company they (I believe) need to obey GDPR requests from any source. [EDIT: This is incorrect.]

But I can understand why Slack would cancel their account, since violating export sanctions is a really easy way to end up in gaol.

[Crosseye_Jack]

Nope.

It covers data for EU/EEA citizens and residents data held by companies “doing business” with people in such areas. An off the top of my head example. An Australian citizen who has never been to the EU can not use the GRPR against Microsoft just because MS have a office in the EU.

Edit: My bad, I think the Australian would be under the Dublin office in the slack case. But the GDPR rules are focused on data of EEA/EU residents/citizens and not (always) data of people outside of the EEA/EU collected by companies within the EEA/EU.

[arjmandi]

My point is not a legal one, it's a moral point. If they've complied with the GDPR it means they even have processes and systems to give users their data but didn't have the decency to respect their customer and at least close their account in a much better way. The export law says you are banned to serve Iranian companies (!), Fine, but it definitely doesn't force you to f* your users in Iran!

[cyphar]

Ah okay, that makes more sense.