3rd, a controller or processor not proven inside the EU will likely be subject matter to your GDPR if it processes the private information of knowledge subjects in the EU and that processing is connected to the “monitoring” during the EU on the “habits” of knowledge topics as their actions https://bookmarklogin.com/story17771043/cyber-security-services-in-usa
