Originally Posted by
Nicc HK
Actually it does, and I have first hand experience of this. I will give you a scenario, GDPR cannot be enforced on an HK based company whose servers are in HK and which has no physical or other presence within the EU, simply because HK courts will not enforce EU laws on an extra-territorial basis.
Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
Agree in part with what you say Nicc HK - if a company operating overseas does not expect or solicit interaction with EU residents then they do not need to comply with GDPR although they probably should because the principles that are mandated by GDPR are a good thing to do for any personal data. Some more background reading on this
here.
Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.
But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.