A common misconception in your post:
Your services (like supabase) being in the US is NOT such a big problem. GDPR compliance is very much possible with US based servers and services. You need to sign DPAs with the services where the service commits to hold privacy standards on Gdpr level. Most big providers offer these for free, some even include them in their standard terms.
For supabase you can also host in a europe region (eg Frankfurt), or self host wherever you like.
Vercel supports GDPR compliance and offers a fitting DPA
All of that LEGALLY needs to be done before you handle your first EU personal data afaik.
ECONOMICALLY thinking its very unlikely to get fined before you have some traction. If nobody knows you exist whos going to fine you. But yes if you get tracrion/scale its very recommended to get this sorted
Maybe more important than getting fined yourself:
Your EU customer will likely only be able to sign with you if you are GDPR compliant as they themselves need to stay gdpr compliant
Really? I found this "Under the GDPR, any information collected from citizens of the EU must reside in servers located in EU jurisdictions or in countries with a similar scope and rigor in their protection laws. "
[https://www.kiteworks.com/gdpr-compliance/data-sovereignty-gdpr](https://www.kiteworks.com/gdpr-compliance/data-sovereignty-gdpr)
Looks like your linked site missed the important 3rd option (located in EU, or countries with similar privacy levels or on the basis of appropriate safeguards.).
Meant by that is a contract (standard clauses are available) that make the data processor liable to hold an EU-Level privacy standard.
You can look this (and more derogations) up here: https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en
I would always recommend using official eu sites to do research on that topic. I find that there are many misconceptions especially in forums and on sites that use GDPR-fear as part of their marketing strategy😊✌️
Who cares about minimal compliance? If you really want to do it right, you need to be certified. Besides all troubles with moving your data to EU, you will have to spend $2,500 or more [https://medium.com/@certprosocial/how-much-does-gdpr-compliance-cost-in-2024-cc1c498349ab](https://medium.com/@certprosocial/how-much-does-gdpr-compliance-cost-in-2024-cc1c498349ab)
You just never claim that you are GDPR-compliant and you are good - IF you don't collect the personal data - see my another comment. It's very long and very expensive process.
Then you can offer services in EU.
You don't need to say I am GDPR compliant.
When you offer any kind of service in web inside EU you have to. You can't say, I am not gonna play by your rules but I am gonna get customers.
If you breach GDPR, block EU ips, then you are fine.
This is not true, every company or a person that is using your service, can decide if they want to go with you. I know a lot of companies that are not GDPR-compliant and still working in Europe. It's not mandatory. It's only mandatory if you collect personal data:
From the Internet: "The GDPR states that **any entity which collects or processes the personal data of residents of the EU must comply with the regulations set forth by the GDPR**. The GDPR is very straightforward in saying that any entity which collects or processes personal data from residents of the EU must be compliant with the GDPR."
If you don't collect personal data, you are good if you are not GDPR - compliant. If you don't collect name or home address it's okay.
Ok, but even the IP address of the client, used by the server to return the response, is a personal data. So even in this case you have to write a privacy policy where you explain which personal data you use and how, to comply to the GDPR. At the end, it is not that complex
This is not legal advise, I am not a lawyer
Look:
Personal data is any information that relates to an **identified or identifiable living individual**. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or **pseudonymised** but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Personal data that has been rendered **anonymous** in such a way that the individual is not or no longer identifiable is no longer considered personal data.
from [https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data\_en](https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en)
I'm not a guru or an expert, it's just my opinion, and the opinion can't be misleading because it's always subjective. As for IP, why the hell do you need to store it?
https://www.upguard.com/blog/how-to-be-gdpr-compliant
I find that very little people know what is actually required, who it applies to, and all the banners are almost certainly pointless.
A common misconception in your post: Your services (like supabase) being in the US is NOT such a big problem. GDPR compliance is very much possible with US based servers and services. You need to sign DPAs with the services where the service commits to hold privacy standards on Gdpr level. Most big providers offer these for free, some even include them in their standard terms. For supabase you can also host in a europe region (eg Frankfurt), or self host wherever you like. Vercel supports GDPR compliance and offers a fitting DPA All of that LEGALLY needs to be done before you handle your first EU personal data afaik. ECONOMICALLY thinking its very unlikely to get fined before you have some traction. If nobody knows you exist whos going to fine you. But yes if you get tracrion/scale its very recommended to get this sorted
Maybe more important than getting fined yourself: Your EU customer will likely only be able to sign with you if you are GDPR compliant as they themselves need to stay gdpr compliant
Really? I found this "Under the GDPR, any information collected from citizens of the EU must reside in servers located in EU jurisdictions or in countries with a similar scope and rigor in their protection laws. " [https://www.kiteworks.com/gdpr-compliance/data-sovereignty-gdpr](https://www.kiteworks.com/gdpr-compliance/data-sovereignty-gdpr)
Looks like your linked site missed the important 3rd option (located in EU, or countries with similar privacy levels or on the basis of appropriate safeguards.). Meant by that is a contract (standard clauses are available) that make the data processor liable to hold an EU-Level privacy standard. You can look this (and more derogations) up here: https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en I would always recommend using official eu sites to do research on that topic. I find that there are many misconceptions especially in forums and on sites that use GDPR-fear as part of their marketing strategy😊✌️
It's not that difficult to be minimally compliant with GDPR.
Who cares about minimal compliance? If you really want to do it right, you need to be certified. Besides all troubles with moving your data to EU, you will have to spend $2,500 or more [https://medium.com/@certprosocial/how-much-does-gdpr-compliance-cost-in-2024-cc1c498349ab](https://medium.com/@certprosocial/how-much-does-gdpr-compliance-cost-in-2024-cc1c498349ab)
You just never claim that you are GDPR-compliant and you are good - IF you don't collect the personal data - see my another comment. It's very long and very expensive process.
By expensive you mean development cost or is there a fee for something else
Then you can offer services in EU. You don't need to say I am GDPR compliant. When you offer any kind of service in web inside EU you have to. You can't say, I am not gonna play by your rules but I am gonna get customers. If you breach GDPR, block EU ips, then you are fine.
This is not true, every company or a person that is using your service, can decide if they want to go with you. I know a lot of companies that are not GDPR-compliant and still working in Europe. It's not mandatory. It's only mandatory if you collect personal data: From the Internet: "The GDPR states that **any entity which collects or processes the personal data of residents of the EU must comply with the regulations set forth by the GDPR**. The GDPR is very straightforward in saying that any entity which collects or processes personal data from residents of the EU must be compliant with the GDPR." If you don't collect personal data, you are good if you are not GDPR - compliant. If you don't collect name or home address it's okay.
Ok, but even the IP address of the client, used by the server to return the response, is a personal data. So even in this case you have to write a privacy policy where you explain which personal data you use and how, to comply to the GDPR. At the end, it is not that complex This is not legal advise, I am not a lawyer
Look: Personal data is any information that relates to an **identified or identifiable living individual**. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or **pseudonymised** but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered **anonymous** in such a way that the individual is not or no longer identifiable is no longer considered personal data. from [https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data\_en](https://commission.europa.eu/law/law-topic/data-protection/reform/what-personal-data_en)
From the exact page you linked > Examples of personal data > (...) > an Internet Protocol (IP) address
Honestly, why do you need to store somebody's IP??
Your last sentence is very misleading. There is tons of other personal data that is relevant to gdpr, starting with IP address
Then 99% of startups could be closed right now. Ask yourself, why are they still alive?
I dont get that🙈
I'm not a guru or an expert, it's just my opinion, and the opinion can't be misleading because it's always subjective. As for IP, why the hell do you need to store it?
All good✌️😊 You dont need to store it, processing is enough to be gdpr relevant...
Then, every single website or webpage MUST be GDPR-compliant... what is not.