Originally Posted by
plunet
Agree in part with what you say Nicc HK - if a company operating overseas does not expect or solicit interaction with EU residents then they do not need to comply with GDPR although they probably should because the principles that are mandated by GDPR are a good thing to do for any personal data. Some more background reading on this
here.
Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.
But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
Therein lies the problem to be applied on an extra-territorial (I like your assertion they can be applied across the universe) basis there must be assets which can be impacted within the EU. Which is the point I am trying to get across.
It does raise interesting questions as to whether an EU member state citizen was affected but was not inside the EU at the time the infringement occurred?
I do apologise I do contracts and IPRs for a living, so these issues are directly relevant to my work and I appreciate the comments people write here for their different perspectives.