3rd, a controller or processor not founded inside the EU might be subject matter to the GDPR if it procedures the non-public info of knowledge topics from the EU and that processing is linked to the “monitoring” while in the EU with the “habits” of information subjects as their behavior https://ariabookmarks.com/story3243409/cybersecurity-consulting-services-in-saudi-arabia
