3rd, A controller or processor not set up during the EU will be subject matter to the GDPR if it processes the personal knowledge of knowledge topics in the EU and that processing is associated with the “monitoring” inside the EU on the “behavior” of information topics as their actions https://webapplicationsecuritytestingusa.blogspot.com/2024/08/aramco-cyber-security-certificate-in.html