GDPR applies in a material scope and a territorial scope. What does it exactly mean?
In regards to material scope, GDPR applies to any data processing which can identify the person, such as surname, first name, email, IP address, hair color, blood group, weight or age.
Automation of listings. Today, we submit to it whether it is automated or not. Very rare statistical elements must be removed.
Therefore, any information relating to an identified or identifiable natural person wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system falls into the material scope of the GDPR.
Regarding the territorial scope, GDPR applies everywhere for companies that process data from European citizens. Even if the site is not European, as soon as it sells to European citizens, it is submitted to the GDPR.
In the previous regulation under the GDPR, some foreign companies, mainly US entities, showed reluctance to apply EU data protection rules. Some had argued they could escape EU laws by storing the data in servers based outside the EU.
In concrete terms, it is no longer mandatory to show what you do with data. However, it will be compulsory to prove why you need those informations and in which context they are used. It could for example happen that activists demand full information. If such a demand is received by a company, they will have to reply within 30 days.