When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
Could this effectively a work around?
It could only for non-EU members, but do you really want to start checking people's nationality now? And it would give an unfair advantage to non-EU members.
"Your company is service provider based outside the EU."
Couldn't we use a host provider outside of the EU?
The host is in the US.
"Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR."
You don't specifically target EU individuals, they just happen to be members among other populations as well.
I do not think it means that I go and only provide service only to the EU. I think they meant it in the way I showed with the US bank. Here is another site that I had read many months ago:
https://gdpr.eu/companies-outside-of-europe/
The site offers services to EU citizens.
Agreeing to data processing - consent
The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. This means that consent should be freely given, specific, informed and unambiguous by way of a request presented in clear and plain language. Consent should be given by an affirmative act, such as checking a box online or signing a form.
When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.
Does consent get around this issue? If so we're right back to where we were about voting.
Yeah, but they can revoke it. Which is why the rule requires a request from the doxxed person.
It can't be as binding as a TOS agreement for signing up for and using the website?
How do they end up revoking what they just agreed to..?
In the GDPR it says they must be able to do so, unless its a special exception, those are explained in the other link I provided.
It is questionable if they can only revoke it for one piece of data, not for all, but if we assume they have to revoke all of it, then they must not use the forum, as thats the only way, they give consent by using the forum.
Maybe they can only request their doxes to be removed legally if they leave the forum. I am ok with that. We can have the vote for the people that chose to use the forum anyway. I may have to reread my TOS for this.
We ought to look further into what goes into revoking.
I can write in the TOS that any information that is not requested to be taken down is implied consent. I already have a part that says it if they post it themselves it is not considered confidential.
This however means, they can request it to be taken down.
I do not think it is a good idea to force people to leave to have their info removed, it can be abused.
TOS can't overwrite the law though, keep that in mind.
