Organisations operating outside the European Union, but employing EU citizens, must comply with the GDPR requirements. This means that the EU citizens can exercise their rights according to the GDPR, even if the company does not conduct any business within the EU.

Personal Data Breach Reporting Requirements Under the GDPR
What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or