[coding_unit_1]

The guidelines are pretty clear on what processing is, what data it covers and who controllers are in those circumstances. The biggest flaw I see is people don't read them and assume any data in any context is bound by it and it becomes a stick to beat everything with when it's not required.

I'm afraid your example is a prime case of that - leaving a hat at school that happens to have your name on it clearly doesn't fall within the remit of data processing under GDPR, it's a strawman (straw boater?) argument

I also don't agree it's a bad thing to make no distinction on size of company, doing so would leave a grey area of when a thing becomes "big enough" to transition from outside to inside scope and therefore gaps in the enforcement.

If you want to build a hobby forum, you're free to do it without requiring my personal data. If you want to collect my data for analysis or marketing then I absolutely want you to abide by the rules and look after it even if you're a lone programmer in his basement.