3rd, a controller or processor not proven while in the EU will probably be matter into the GDPR if it processes the non-public info of information subjects within the EU Which processing is relevant to the “monitoring” within the EU in the “behavior” of knowledge topics as their conduct requires https://webapplicationsecuritytestingusa.blogspot.com/