Third, a controller or processor not founded in the EU will probably be matter for the GDPR if it processes the non-public knowledge of data topics while in the EU Which processing is connected to the “checking” within the EU with the “actions” of data topics as their behavior normally https://cybersecurityconsultinginsaudiarabia.blogspot.com/2024/08/aramco-cyber-security-certificate-in.html