GDPR applies to any European citizen's data, anywhere in the world. It will apply to a US company too. The fines will be on worldwide revenue.
This is probably a bad example in this context though as the people being talked about on Kiwiforums are not "customers" of the Kiwifarms "company" so GDPR probably doesn't cover them.
GDPR doesn't mean you have to scrub someone from your database, it means you can only keep information if you have a legitimate need. I'm sure credit bureaus can come up with enough bureaucracy that there is a legitimate need.
This is probably a bad example in this context though as the people being talked about on Kiwiforums are not "customers" of the Kiwifarms "company" so GDPR probably doesn't cover them.
GDPR doesn't mean you have to scrub someone from your database, it means you can only keep information if you have a legitimate need. I'm sure credit bureaus can come up with enough bureaucracy that there is a legitimate need.