3rd, a controller or processor not proven inside the EU might be subject to the GDPR if it processes the private facts of information topics while in the EU and that processing is related to the “monitoring” in the EU from the “habits” of information subjects as their actions takes https://sociallytraffic.com/story2487579/cyber-security-services-in-usa
