GDPR is about data, not companies. It applies to all entities regardless of where they are established as long as they're doing business in the EU or processing data of EU citizens.
True, but GDPR does not automatically apply to global companies that just happen to get used by EU citizens. There are two separate conditions, either one is sufficient, but if neither are met then GDPR does not apply. The company must either offer services to EU citizens directly, or profile behavior of EU citizens, e.g. via direct advertising within Europe. See Recitals 23 and 24 https://gdpr.eu/Recital-23-Applicable-to-processors-not-esta...
