> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
It's not even resident, the bar is far lower. A US resident on holidays to europe is covered.
How is this enforced? For facebook, let's say, is all I have to do is change my country from a non-European country to a European country, and I'm good? Because that is a fairly easy line to cross.
I've asked about this before in another thread but didn't get anything useful for me. How can I get the benefit of being a EU resident, with respect to GDPR, while not physically being in the EU? What I'm asking for may probably sound like a fraudulent thing, but I value my privacy a lot, and if there are any steps I can consider to make myself come under GDPR (without moving to the EU), I'd like to know.
Using a VPN to connect to a location in Europe might work, if the company uses IP address to check whether a user is in the EU.
Of course, Facebook has other options (many users just tell them where they live, you can even fill out an address) so you could try claiming to live in the EU there, too.
Which is particularly interesting for me the next couple of election cycles, as I am a US citizen registered to vote back in the last place in the US I resided - and live in Germany, which was notable for its data protection laws even before GDPR.
I might have a moral obligation to use Facebook again.