3rd, a controller or processor not established during the EU are going to be subject matter for the GDPR if it procedures the non-public data of data topics in the EU Which processing is related to the “checking” during the EU of your “actions” of information subjects as their habits https://cyber-security-consulting-in-usa.mystrikingly.com/blog/nathan-labs-advisory-premier-cyber-security-services-and-information