The #GDPR protects everyone inside the EU (regardless of citizenship) + also EU citizens who are outside of the EU.

So what happens when you have:

EU citizen outside the EU → Cloudflare (the closest server) → EU website

?

CF’s closest server would usually not be in the EU in this case. The GDPR generally bans personal data being stored outside the EU. As far as anyone knows this is data in transit not storage. But we really don’t know that. We don’t know what Cloudflare collects and stores.

In principle, European websites that use Cloudflare should have the proxy server restricted to EU locations and under EU regulation. Correct?