That _helps_, but I'm a British/EU citizen, living in Australia, who regularly VPNs through servers in Singapore, Tokyo, and the US.
I'm still protected by GDPR.
(Personally, I reckon that's quite an overreach by EU lawmakers, but that's what they've chosen to do, in response to equivalent or worse "overreach" by internet companies trading in personal information...)
That actually makes sense (not something that's expected to be true of laws...)
So by my reading of the advice linked there:
If an individual is in the EU, they're covered by GDPR - whether they're a citizen or not.
If a company is based in or does business in the EU, all it's users are covered by the GDPR - whether they're in the EU or not, and whether they're an EU citizen or not.
That's much less over-reachy than I'd thought. The EU arguably does have the right to make laws about how you treat people within it's borders - whether they're citizens or not. (A death threat against a Chinese person in Paris should be prosecutable under French law by French police/authorities). The EU definitely does have the right to make laws about how businesses in the EU or who have offices/presence in the EU treat people everywhere. (A London company discriminating against a homosexual Saudi citizen should be prosecutable under British law by British authorities, even if it's not illegal to so discriminate in Saudi Arabia).
I think it's even less reachy than that - if a foreign multinational has a subsidiary in the EU, I don't think the parent company is covered by the GDPR unless they directly deal with subjects in the EU. So they can compartmentalize the parts of the company that must deal with the GDPR, by redirecting every EU user to the EU subsidiary.
I'm still protected by GDPR.
(Personally, I reckon that's quite an overreach by EU lawmakers, but that's what they've chosen to do, in response to equivalent or worse "overreach" by internet companies trading in personal information...)