3rd, a controller or processor not founded in the EU is going to be subject on the GDPR if it processes the private details of data subjects inside the EU Which processing is related to the “monitoring” while in the EU with the “habits” of data topics as their actions https://sociallweb.com/story3034880/cyber-security-services-in-saudi-arabia