3rd, A controller or processor not recognized within the EU will probably be matter for the GDPR if it processes the personal data of information topics while in the EU and that processing is relevant to the “checking” within the EU of the “behavior” of data subjects as their habits https://brightbookmarks.com/story17835657/cyber-security-consulting-in-saudi-arabia