The first question, and the one engineers most often get wrong by reasoning about server location.
GDPR follows the data subject, not your servers. Answer three tests.
Test 1 · establishment · Art. 3(1)
Is the data processed in the context of the activities of an EU/EEA establishment?
A branch, office, or even a single representative can count. Where the servers run is
irrelevant.
Test 2 · targeting · Art. 3(2)(a)
Do you offer goods or services to people who are in the EU?
Signals: EU languages, euro pricing, EU domains, shipping or marketing to the EU. Mere
accessibility of the site is not enough on its own.
Test 3 · monitoring · Art. 3(2)(b)
Do you monitor the behaviour of people who are in the EU?
Web analytics, ad profiling, device fingerprinting, cookies that track across sessions.
Verdict
Answer the three tests to see whether GDPR applies.
Not legal advice. This encodes the Art. 3 tests as a first-pass filter. Edge
cases (groups of companies, processors acting for in-scope controllers) need a real assessment.