3rd, a controller or processor not recognized from the EU will probably be topic to the GDPR if it processes the personal information of knowledge topics within the EU and that processing is connected with the “monitoring” within the EU from the “conduct” of data topics as their habits normally https://webapplicationsecuritytestingusa.blogspot.com/2024/08/aramco-cyber-security-certificate-in.html