Third, A controller or processor not proven from the EU will likely be topic on the GDPR if it procedures the non-public information of information topics during the EU and that processing is connected with the “monitoring” inside the EU in the “actions” of data topics as their behavior usually https://fismacomplianceinusa.blogspot.com/