To your point: From the original post it was mentioned they created an entity in Germany (for the T-shirts).

This means they're exposed to GDPR not only indirectly by serving EU citizens but also directly by operating within the EU.