> If an EU citizen accesses your website in America, that's still within GDPR scope.
No, that's not correct. You have to be clearly intending to (not just incidentally happening to) offer goods or services to an EU data subject.
> ship things to the EU
This wouldn't be enough to make the GDPR applicable. You'd have to be specifically targeting EU customers in some way, such as allowing users to pay in euros - not just incidentally selling some stuff to folks who live in the EU. Your other examples (such as having EU business assets) hold because they would make you an EU entity.
Targeting EU data subjects with goods and services is just one of two ways GDPR asserts extraterritorial jurisdiction.
The other is when you are processing personal data of EU data subjects that is related to "the monitoring of their behaviour as far as their behaviour takes place within the Union".
There's a recital that adds:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Unlike the recital that explains the goods and services case, which talks about it only applying if you envisage offering goods and services in the Union as opposed to your site merely being accessible from the Union, the monitoring case doesn't seem to have any requirement that you are intending to monitor EU data subjects.
That's pretty broad as written. From what the recital says it even applies if you are gathering data the could be used for profiling even if you are not actually currently profiling.
As noted in the article at gdpr.eu that a parallel commenter cited:
> If your organization uses web tools that allow you to track cookies or the IP addresses of people who visit your website from EU countries, then you fall under the scope of the GDPR. Practically speaking, it’s unclear how strictly this provision will be interpreted or how brazenly it will be enforced. Suppose you run a golf course in Manitoba focused exclusively on your local area, but sometimes people in France stumble across your site. Would you find yourself in the crosshairs of European regulators? It’s not likely. But technically you could be held accountable for tracking these data.
> That's pretty broad as written. From what the recital says it even applies if you are gathering data the could be used for profiling even if you are not actually currently profiling.
I'm not aware of legal cases that have specifically hinged on this issue, but Soriano v Forensic News LLC (from 2021) touched on this clause, and seemed to doubt that merely collecting information (e.g., using cookies) without further processing it with the intent to profile would make you subject to the GDPR.
I didn't specifically mention Article 3(2)(b) - the clause you're citing - because the post I was responding to didn't really mention profiling in any way. Still, it's good to note that the legal landscape on this particular point isn't totally clear as far as I'm aware.
No, that's not correct. You have to be clearly intending to (not just incidentally happening to) offer goods or services to an EU data subject.
> ship things to the EU
This wouldn't be enough to make the GDPR applicable. You'd have to be specifically targeting EU customers in some way, such as allowing users to pay in euros - not just incidentally selling some stuff to folks who live in the EU. Your other examples (such as having EU business assets) hold because they would make you an EU entity.