Assuming you’re a EU citizen, you could file a compliant with your regulator. For instance, the UK has the ICO (Information Commissioners Office). They would, based on severity, risks and their own investigative priorities, make a decision on whether or not to actively pursue your complaint. Generally speaking, it would have to be a pretty big issue to warrant an investigation because of the sheer amount of complaints and data breaches.
Assuming they have both their resources and priorities aligned on your complaint, they could
request information regarding the matters in your complaint (proof on way of working, how the matter should be settled, etc)
start a limited investigation (there could be something amiss but it doesn’t seem to warrant a full investigation
start a full investigation with the aim to ascertain compliance with GDPR
The specifics can vary depending per member state and generally speaking are set out in the GDPR. If a company outside of the EU has been processing PII and does not comply materially with the GDPR they can fine them. Furthermore, they can order a stop of any data transfer out of the EU to the company or its sub processors to effectively stop all processing.
Basically, your complaint can lead to a company having the living daylights fined out of them, regardless of wether they themselves operate in the EU.