Third, a controller or processor not set up from the EU is going to be topic to the GDPR if it procedures the private facts of data subjects within the EU and that processing is relevant to the “monitoring” in the EU on the “behavior” of information subjects as their https://medium.com/@cybersecurityservice/data-privacy-compliance-in-saudi-arabia-ed1d6e9bc078