3rd, a controller or processor not proven in the EU will probably be issue for the GDPR if it processes the private data of information topics within the EU and that processing is connected with the “checking” from the EU of the “conduct” of data subjects as their conduct requires https://socialmediaentry.com/story2989983/cyber-security-consulting-in-usa
