This blog post from my colleagues summarises the latest EDPB guidance regarding the territorial scope of GDPR. 

Key updates for processors outside the EU (although I am not sure this really changes anything in practice) and some relief for those acting as a representative regarding previous fears they could be slapped with big fines on behalf of those they represent. You can read more here.