It doesn't matter where the data resides. If you collect personally identifable data in the EU (for example if it is typed onto screens on laptops, pads, or desktops in the EU, even if the website collecting the data is elsewhere) that data is covered. If the data resides somewhere where it isn't protected, you are breaking the law if you collect it in the EU.

There are two fundamental exceptions. The first is that data can be used if it is not possible to identify the person it refers to using that data together with any other data for which it can't be stated with reasonable certain that it won't come into the possession of the person who has access to the protected data. The second is that the person who is the subject of the data has given his informed consent to the data being made available to the particular person who gets it - and "informed consent" is definietly NOT provided by explaining things somewhere buried in contractual small print, and NOT by saying "the rules are on our website and we may change them and the only way you'll find out is by going and looking for them" (both those attempts at bypassing the law have been blown out of the water by the courts).

It makes things difficult sometimes: if a system crashes and someone has to study core dumps and/or traces and logs to discover and fix the problem that person has access to the data, so had better be covered by the rules - the data subject must have given his informed consent for the data to be made available under those circumstances. When I was responsible for ensuring conformance with this legislation at Neos I used to be worry a lot about the situation with our European customers.

There are some exceptions also for use for national security purposes and for the prevention or detection of serious crime and the way European national governments have interpreted the EU level exceptions varies widely from country to country. In the UK and some other countries those exceptions are far from limited in scope; in some other countries they are rather narrower. But even in the UK, the standard of protection of personally identifiable data is far higher than in the USA.