It applies to companies who store data on EU citizens and have any legal basis requiring them to comply with EU law. (No country should be able to say its law applies globally to people or companies not under their jurisdiction. And even if you're a fan of GDPR, there are plenty of countries whose jurisdictions you wouldn't want to be under.)