(02-12-2020, 09:05 PM)Alley Wrote: I would highly recommend you read Article 2 of GDPR. It does not solely apply to legal entities. Discovery is not in any of the exclusion cases and certainly not 2.2c.
As far as I have been able to ascertain based on my own research into GDPR: Unless you are a legal person or entity selling goods and services to people in the EU ("engaged in economic activity"), and as long as you are only processing data that can be reasonably justified as required to run your service. Then your website falls under the exemption granted by personal or household activity, and the data you are collecting is considered to be within your "legitimate interest".
If we made Discovery pay to play or if we started tracking information about you to sell to third parties, then we'd be liable.
I am curious as to why the statement Laz quoted about making Discovery GDPR compliant was made in the first place though. I wasn't even around then, so I don't know the story behind it.
Edit: Even in the case of pay to play, applying GDPR would be a stretch due to legitimate interests.