Placeholder for adding geo-based rules to the PII Enrichment strategy

[alexanderdean]

Because that geo-based information is easily fetched from the geo-IP enrichment.

[petervcook]

Use case: apply anonymization or pseudonymization (or other GDPR features) only to users who are based in the EU.

I’m thinking something along the lines of if the visitor is in one of the 28 member states then apply certain rules.

[knservis]

IANAL but the way I understood the regulation, the protection is extended to the data subject even if only part of the tracked activity is in the EU. Article 3:

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
--
 
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union 

I am really not sure what happens to the scope in (b) when part fo the activity is in the EU

See also recital 23 and 24:

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. 

[SakuraSound]

Not sure if this is a good place to put this, but it would also be nice to do scrubbing/hashing of some of the elements of the Geo-IP enrichment using the PII enrichment (like dropping latitude/longitude, zip code, etc.)

[joaolcorreia]

Yes, please!