3rd, A controller or processor not founded within the EU is going to be subject on the GDPR if it processes the private knowledge of information subjects while in the EU and that processing is connected with the “monitoring” while in the EU on the “habits” of information subjects as https://letusbookmark.com/story19181334/cyber-security-services-in-usa