3rd, a controller or processor not established while in the EU will be topic to your GDPR if it procedures the non-public data of data subjects inside the EU and that processing is connected with the “monitoring” from the EU of the “conduct” of information subjects as their habits usually https://cyber-security-consulting-in-usa.mystrikingly.com/blog/data-privacy-compliance-in-saudi-arabia