In theory, what Dale says. However, in practice:
Nope, and that's why the trader is in Timbuktu.
And I apologize profusely to the Malian people, I have every reason to think it is a fine country in which citizens obey international laws and honor claims, unlike certain other countries. In anglo/Five Eyes nations, Timbuktu tends to simply be used as a metaphor for "a country far, far away and different in its ways than us".
If Bob is regularly buying things in the USA or Timbuktu, then either Bob works for Aperture Science and is using portals, or more likely Bob is using mail order. And now, we get to the nut of it.
Most mail order sales are done by mail-order sellers who deal in volume. Those people choose their jurisdictions and venues carefully. And they have help.
Do European or British consumer rights legislations bind the American/Malian trader to protect Bob, as the GDPR would?
No! That's WHY they're in Timbuktu! (or, wherever they actually are; generally behind what I'll call the Red Curtain.) The point of being there is to be untouchable by civil action or government penalty due to that government's non-enrollment in international agreements, and outright obstruction of such actions.
Yes, they and their legal team have crunched the question of "what happens when a European or Briton sues us? What happens when an Anglo or EU government tries to action us?" Their companies are structured so they slough those off at minimal real loss. Ever notice how many sellers have a company name that looks like they rolled their face across a keyboard? That's a sockpuppet shell company, and they have thousands of them. If their other layers of defense fail, they simply fold that company and create another. Their government lets them do this, because they chose jurisdictions wisely.
A huge fraction of mail order sales are done on this basis, typically through web sites which purport to be "only a marketplace connecting buyers to sellers"... even though some of those marketplaces also provide warehousing and shipping services to the third party ("only a warehouse" and "only a drop-ship firm")... and even though they are known for selling their own products, and use the smallest text on the page to mention that this particular item is from a third party. Not mentioning any names.
This type of "be fully complicit in selling junk, while the seller of record hides behind the Red Curtain and uses arrays of shell companies to limit exposure" has become systemized in much of the mail order world.
Another scheme I've seen is to trick American consumers into being the seller of record; these people end up "holding the liability bag", and are typically not insured and not collectible in any practical way.
Of course you have lovely companies like Eaton, Midnight Solar, Harsco Rail, Roshel, ILSCO, etc. who will meet GDPR simply because it's the right thing to do, even if they don't have feet on the ground inside the EU or UK against which those governments might action. But nobody asks if they're subject to GDPR, do they?