[Crosseye_Jack]

> Slightly unrelated but note that many "American companies" are explicitly headquartered in the EU for tax reasons, and by structuring themselves in this way they are explicitly putting themselves under EU jurisdiction.

None of this matters to the GDPR. The GDPR targets companies “doing business” with EEA/EU residents no matter where the company is actually located. Even if you are a solely US company, if you are accepting orders from EU/EEA residents you have to be able to process GRPR requests. Think of it as a cost of doing business in that area. If you don’t want to do that, the. You are free to no longer process any EU/EEA residents data (some websites, the LA Times is one example iirc just completely lock EU IP’s because of this).

When it gets “merky” is defining that “doing business”.

Sure accepting payments and offering a service is clearly covered. But what if you ad supported. Are you doing business because you are exchanging access to your site for ad impressions which you get paid for? Who is processing that data? You or if the ad network one of your business partners who you have offloaded a task too? (Which is why domes of people/companies/ad men were shouting that the end was nigh before it came into force.)

But yeah as I said to you in another comment. Even if they were allowed to do business in Iran, the GDPR wouldn’t come into play here as they are not in the EU.

If they had any team members in the EU, they could try that route.