No company outside the EU will face fines and there's nothing the EU can do about it.
Also the law is based on physical location (either companies or people in the EU at the time), not your nationality or citizenship which would be unknown without access to the very data the law is trying to protect.
If you're a foreign company selling to EU citizens you can be subjected to EU fines because there's usually a trade deal that says so.
But yes, checking the nationality of all your customers isn't feasible, but I bet the waters get murky when requests, such as data access or deletion requests, come after the fact, with proof of EU citizenship.
You may have to prove residence too in the requests, and that can include notarized documents (all acceptable under GDPR rules).
As for trade deals, the Safe Harbor agreement that would have allowed this was repealed before (and partly because of) GDPR. The only deal in place now is Privacy Shield which is completely voluntary and has no cross-border enforcement.
I recently moved to the EU, since the GDPR came into existence. Is Spotify and Google only subject to the GDPR for my data they collected since I moved here?
Technically the law only applies to data after you are physically in the EU, not before it, although most companies will store a user's data together so it's likely that once you change your address that it will be treated differently. Most companies have also applied GDPR data access rules globally instead of maintaining separate databases.
I'm not a lawyer, but I don't think this is how it works unless Indonesia has signed an agreement with the EU or Netherlands regarding this. Otherwise countries could just unilaterally declare laws for all its citizens abroad?
I also looked at the text in Article 3, "Territorial scope"[1], and that says it only applies to EU-based organisations and "data subjects who are in the Union". It seems to me that "in the Union" means "residing in", and not "citizen of"?
The third clause says it applies to "a place where Member State law applies by virtue of public international law", but I don't think this applies to Indonesia?
> The third clause says it applies to "a place where Member State law applies by virtue of public international law", but I don't think this applies to Indonesia?
IANAL, but I think that is primarily a reference to member state embassies, consulates, overseas military bases, ships having member state flag in international waters, aircraft registered in a member state, and spacecraft operated by a member state. So GDPR would apply to data kept in a member state embassy/consulate in Indonesia.
In practice, a lot of the work embassies/consulates do may fall into one of the exemptions from the GDPR – national security, etc. But embassies/consulates often also do other stuff, like host conferences, workshops, dinner parties, etc. GDPR may well apply to data collected for those purposes.
Now the question is if any random corner store in Indonesia is going to respect the EU decision.....