Consider a car rental company based in the U.S., whose cars can only be driven within the U.S., and whose servers and payment processing are located in the U.S. Why does this company have to respect the provisions of the GDPR, even though its business takes place entirely outside the European Union? *