3rd, a controller or processor not established while in the EU will probably be subject on the GDPR if it processes the private details of data topics within the EU and that processing is connected with the “monitoring” in the EU of the “actions” of information topics as their actions https://dirstop.com/story19870972/cyber-security-consulting-in-usa