The Anti-virus Times

Is there a way to determine that a user is an EU citizen?

In short, no. Well, you can ask, but users could lie. You could also use IP geo-targeting, but that isn’t always reliable: people can use a proxy server, a satellite communication channel, and so on. Unfortunately, you can’t determine a person's location with 100% certainty.

You can ignore a fine if your company is registered outside the EU. But the regulators forestalled that scenario: a company is required to have a designated representative to conduct business in the EU. Yes, you read that correctly. Apparently, this is the most aggressive change that the European Union could impose: companies are indeed obligated to have a legal representative in the EU. If your company already operates on EU territory, you have a designated representative. If not, you will have to acquire one. Some companies are already offering a paid service to help with that.

So if your company gets fined, your representative will be notified about it. Most probably, you cooperate with that company under some sort of an agreement, and they have someone representing them in your country. Under the agreement, you reimburse the representative in your country for all the fines collected through your company's representative in the EU. Thus, you can either wage court battles with your own representative in your country or pay the fines.

https://habr.com/post/359180/

Russian companies processing EU citizens' personal information as part of their online sales (e.g., railways, airlines, hotels, etc.) also become subject to the GDPR and must comply with the personal-data-processing regulations.

https://habr.com/company/digitalrightscenter/blog/344064/

Personal data may include any information that can potentially be used to determine a person's identity. Such information includes data relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is someone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (article 4, clause 1). This is a broad definition and it clearly indicates that even an IP address can be regarded as personal data.

The regulations also establish special personal data categories. It is prohibited to reveal the following during the processing of personal data: a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union memberships. This data processing also includes the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, and data related to a natural person's sex life or sexual orientation (article 9).

Before you can use data provided by individuals, you must obtain their consent. That's not about showing good manners—that's the law.

So if you have a brilliant new idea about how you can use the data you've already gathered, you must first update your privacy policy and get users to give their consent once again.

After May 25, it became illegal to send emails prompting users to agree to receive a newsletter. Any addresses you've accumulated without user consent must be regarded as lost. Messages of this kind are treated as spam. You are not allowed to send such emails to natural persons.

The GDPR doesn't discriminate between a hobby and a business, and that seems right to me. It doesn't matter whether you regard your project as a hobby or not. As soon as you start collecting personal data belonging to EU natural persons, you will have to comply with the legislation.

I can post information about myself (or someone else) on an anonymous forum. So any information submitted by users potentially contains personal data.

Under the GDPR, fines can reach 20 million EURO or 4% of a company's annual income.