GDPR applies if (1) the Controller or a Processor is “established” in the EU, or if (2) the Subject is in the EU. Citizenship doesn't matter, and geoblocking is the legally correct solution. As an example: U.S. tourists on a trip to Paris are protected by the GDPR, but a Polish expat in California is not. (See Art. 3 GDPR https://gdpr-info.eu/art-3-gdpr/)
> US tourists on a trip to Paris are protected by the GDPR
That’s not entirely correct. They’d fall under GDPR if they do business with a company doing business in the EU (eg by buying something off of amazon and sending it to their Paris hotel address. They would however not benefit from GDPR if they were to order something from amazon but sending it to their US address instead.
"If the Data Subject, moves out of the EU border [...], or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless the organisation is “established” in the EU"
I'm sure that's what the policy makers originally wanted (protecting the rights of all EU citizens). That being said, it would be nigh-on-impossible to implement.
Websites would run into the same situation as banks: anytime you open an account at most banks in Europe and probably around the world, they specifically make sure that you're not American, because then they have to comply with American laws if they don't want to get blacklisted.
How is geoblocking a solution? How does it absolve the company of their compliance obligations? Does using a VPN mean that Data Subjects in the EU are not covered by GDPR?
Is geoblocking sufficient on its own to show that the Controller/Processor is not doing business in the EU? Even when the Controller/Processor still provides localization to EU languages?
