• 𝙲𝚑𝚊𝚒𝚛𝚖𝚊𝚗 𝙼𝚎𝚘𝚠
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        9 months ago

        GDPR applies regardless of any “business”. It applies to any entity processing personal data.

        Which is incredibly broad by the way. IP addresses and email addresses are personal data too. Same goes for “account data” in a broad sense. So Lemmy does collect personal data, and has to be compliant with the GDPR.

        Of course, for a fine there needs to be an investigation and the entity has to not comply with GDPR requests after a warning. And you’re absolutely right that devs can’t be sued for this, but the sysadmin running the instance can be. But that would only happen after GDPR noncompliance.