You might want to look into how to make your website GDPR compliant. I don’t think you can create a database over random EU citizens’ interests, mood and activities without permission. (Edited)
Would be an interesting exercise to determine what exposure gp has to GDPR here. Theres no direct relationship to the user, just analysis of publicly accessible content.
From what I understand, it doesn’t matter that it is publicly accessible content, you still need consent from each individual that is a GDPR data subject before you process their personal information. It also doesn’t seem to matter whether it’s a US company that doesn’t do business in Europe, although you have to wonder what teeth the law has under such circumstances. IANAL though.
I usually just let the GDPR people say as they will without debate. People seem to think GDRP makes a difference.. part of my website was to point out it doesn’t. The fact is, I’m a small company, solely based outside EU jurisdiction, with anonymous accounts I monitor (and make public).
For reference, I’m based out of the U.S. and don’t officially conduct business in the EU. As it stands, I’m completely unbound by the laws. Even EU customers would have to conduct business with me via U.S. dollars on a U.S. hosted server. I.e. they and myself would be bound by U.S. law, as we’d be in U.S. jurisdiction.
That being said, I’m also not hosting “data from An EU citizen”. I have no way of knowing where these anonymous users are posting. If I applied this to people that I can confirm their identities, then sure. However, as it stands, I have no way of knowing who “jcims” or anyone else is.
Article 3.1 states that the GDPR applies to organizations that are based in the EU even if the data are being stored or used outside of the EU. Article 3.2 goes even further and applies the law to organizations that are not in the EU if two conditions are met: the organization offers goods or services to people in the EU, or the organization monitors their online behavior. (Article 3.3 refers to more unusual scenarios, such as in EU embassies.)
You definitely are covered by the GDPR - its just a matter of how and when someone will take action against you.
The second exception is for organizations with fewer than 250 employees. Small and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5).
