Third, a controller or processor not set up inside the EU is going to be topic to the GDPR if it procedures the non-public knowledge of data topics while in the EU and that processing is relevant to the “checking” during the EU of the “behavior” of data topics as https://moodjhomedia.com/story1925942/cyber-security-consulting-in-usa
