According to WP: The GDPR also applies to data controllers and processors outside of the European Economic Area (EEA) if they are engaged in the “offering of goods or services” (regardless of whether a payment is required) to data subjects within the EEA, or are monitoring the behaviour of data subjects within the EEA (Article 3(2)). The regulation applies regardless of where the processing takes place.
So it’s not enough to prove that the IP used is not from the EU and that therefore it’s (supposedly) not under EU jurisdiction?
It covers EU citizens traveling abroad?
If so, dang that’s a good law
According to WP: The GDPR also applies to data controllers and processors outside of the European Economic Area (EEA) if they are engaged in the “offering of goods or services” (regardless of whether a payment is required) to data subjects within the EEA, or are monitoring the behaviour of data subjects within the EEA (Article 3(2)). The regulation applies regardless of where the processing takes place.
Source: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Applicability_outside_of_the_European_Union