3rd, a controller or processor not set up in the EU are going to be matter for the GDPR if it processes the personal info of information subjects in the EU and that processing is linked to the “monitoring” while in the EU with the “actions” of data subjects as https://singnalsocial.com/story2952804/cyber-security-consulting-in-saudi-arabia