I am an EU citizen who codes. I have a project, which works this way:
I will never use this program, I will just code it for the man who set me the project and paid me for it. He is from the USA. Is this legal? Is RODO (Polish GDPR) applicable there?
The GDPR does not allow or forbid scraping of personal data. That's processing of personal data just like other processing activities, and requires that the data controller has a suitable legal basis for this processing. It doesn't matter if the personal data was made public, though that might influence a balancing test if the legal basis is a legitimate interest.
In this scenario, the purpose of processing seems to be marketing. I doubt that there will be a suitable legal basis other than (informed, freely given) consent. While marketing can be a legitimate interest of a business, there are further rules in the EU for how that can be done. For example, practices like sending unsolicited emails to scraped addresses or cold calling is quite illegal.
However, it is not clear to me who the data controller is in this scenario. Clearly, your customer is a data controller since they determine the purposes of processing. But I'm not sure there is a meaningful difference between performing a processing activity and just preparing everything that is necessary other than the final step of actually executing the tool. Therefore, you might be a joint data controller as well, though I'm really not sure about this. If you are a data controller, it is extremely unlikely you'd be able to do this in a GDPR-compliant manner.
I should also note that by building this you are likely violating the Facebook terms of use: “You may not access or collect data from our Products using automated means (without our prior permission)”.
Just as legal as if you were to access his page and copy+paste his number into a file. Scraping is an automatation of web interaction and usuallly used to get a lot of information from a webpage in a short amount of time. In the U.S., generally the release of personally identifiable information laws only punish the people who release or collects someone else's PII without that person's consent. If I put my phone number out on the internet, I authorized it's release, so the law doesn't punish me for doing so... nor does it protect me from Polish students scraping it off facebook... or worse.
While I admit that grabbing the PII of people for a school assignment is one of moral dubious nature and that there are better and more numerous records available to teach scraping (when I had a similar assignment, we were scraping death certificate information, because there's a lot of those AND technically the dead do not have any rights under the U.S. Constitution... generally any "rights" they have are only for the sake of protecting the rights of living relatives.). I would bring these concerns up with the person who asked you to do it (teacher) and possibly be prepaired to go over his/her head if your not satisfied.
